Pavel Zůna wrote:
LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.

Any class that extends LDAPSearch can benefit from this functionality.
This patch enables it for the following objects:
group, netgroup, rolegroup, hostgroup, taskgroup

Example:
ipa group-find --no-users=admin

Only direct members are taken into account, but if we need indirect
members as well - it's not a problem.

Ticket #288

Pavel

This works as advertised but I wonder what would happen if a huge list of members was passed in to ignore. Is there a limit on the search filter size (remember that the member will be translated into a full dn so will quickly grow in size).

Should we impose a cofigurable limit on the # of members to be excluded?

Is there a max search filter size and should we check that we haven't exceeded that before doing a search?

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to