Pavel Zůna wrote:
LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.

Any class that extends LDAPSearch can benefit from this functionality.
This patch enables it for the following objects:
group, netgroup, rolegroup, hostgroup, taskgroup

ipa group-find --no-users=admin

Only direct members are taken into account, but if we need indirect
members as well - it's not a problem.

Ticket #288


This works as advertised but I wonder what would happen if a huge list of members was passed in to ignore. Is there a limit on the search filter size (remember that the member will be translated into a full dn so will quickly grow in size).

Should we impose a cofigurable limit on the # of members to be excluded?

Is there a max search filter size and should we check that we haven't exceeded that before doing a search?


Freeipa-devel mailing list

Reply via email to