Re: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes.

Pavel Zůna Tue, 30 Nov 2010 14:28:32 -0800

On 2010-11-30 04:06, Rob Crittenden wrote:

Pavel Zůna wrote:

LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.


Any class that extends LDAPSearch can benefit from this functionality.
This patch enables it for the following objects:
group, netgroup, rolegroup, hostgroup, taskgroup

Example:
ipa group-find --no-users=admin

Only direct members are taken into account, but if we need indirect
members as well - it's not a problem.

Ticket #288

Pavel


This works as advertised but I wonder what would happen if a huge list
of members was passed in to ignore. Is there a limit on the search
filter size (remember that the member will be translated into a full dn
so will quickly grow in size).

Should we impose a cofigurable limit on the # of members to be excluded?

Is there a max search filter size and should we check that we haven't
exceeded that before doing a search?

rob

I tried it out with more than a 1000 users and was getting an unwillingto perform error (search filter nested too deep).

After a little bit of investigation, I figured the filter was beinggenerated like this:


(&(&(!(a=v))(!(a2=v2))))

We were going deeper with each additional DN!

I updated the patch to generate the filter like this instead:

(!(|(a=v)(a2=v2)))

Tried it again with more than 1000 users (~55Kb) - it worked and wasn'teven slow.


Updated patch attached.

I also had to fix a bug in ldap2 filter generator, as a result thispatch depends on my patch number 43.


Pavel

>From b8c6fa683715d0221b1be33dde6b8065283125d3 Mon Sep 17 00:00:00 2001
From: Pavel Zuna <pz...@redhat.com>
Date: Mon, 29 Nov 2010 06:44:09 -0500
Subject: [PATCH 2/2] Enable filtering search results by member attributes.

LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.

Example:
ipa group-find --no-users=admin

Only direct members are taken into account.

Ticket #288
---
 ipalib/plugins/baseldap.py  |   34 +++++++++++++++++++++++++++++++++-
 ipalib/plugins/group.py     |    2 ++
 ipalib/plugins/hostgroup.py |    2 +-
 ipalib/plugins/netgroup.py  |    1 +
 ipalib/plugins/rolegroup.py |    2 +-
 ipalib/plugins/taskgroup.py |    2 +-
 6 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index a67b84d..ea5454b 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1091,6 +1091,9 @@ class LDAPSearch(CallbackInterface, crud.Search):
     """
     Retrieve all LDAP entries matching the given criteria.
     """
+    member_attributes = []
+    member_param_doc = 'exclude %s with member %s (comma-separated list)'
+
     takes_options = (
         Int('timelimit?',
             label=_('Time Limit'),
@@ -1118,6 +1121,33 @@ class LDAPSearch(CallbackInterface, crud.Search):
     def get_options(self):
         for option in super(LDAPSearch, self).get_options():
             yield option
+        for attr in self.member_attributes:
+            for ldap_obj_name in self.obj.attribute_members[attr]:
+                ldap_obj = self.api.Object[ldap_obj_name]
+                name = to_cli(ldap_obj_name)
+                doc = self.member_param_doc % (
+                    self.obj.object_name_plural, ldap_obj.object_name_plural
+                )
+                yield List('no_%s?' % name, cli_name='no_%ss' % name, doc=doc,
+                           label=ldap_obj.object_name)
+
+    def get_member_filter(self, ldap, **options):
+        filter = ''
+        for attr in self.member_attributes:
+            for ldap_obj_name in self.obj.attribute_members[attr]:
+                param_name = 'no_%s' % to_cli(ldap_obj_name)
+                if param_name in options:
+                    dns = []
+                    ldap_obj = self.api.Object[ldap_obj_name]
+                    for pkey in options[param_name]:
+                        dns.append(ldap_obj.get_dn(pkey))
+                    flt = ldap.make_filter_from_attr(
+                        attr, dns, ldap.MATCH_NONE
+                    )
+                    filter = ldap.combine_filters(
+                        (filter, flt), ldap.MATCH_ALL
+                    )
+        return filter
 
     has_output_params = global_output_params
 
@@ -1159,8 +1189,10 @@ class LDAPSearch(CallbackInterface, crud.Search):
             search_kw[a] = term
         term_filter = ldap.make_filter(search_kw, exact=False)
 
+        member_filter = self.get_member_filter(ldap, **options)
+
         filter = ldap.combine_filters(
-            (term_filter, attr_filter), rules=ldap.MATCH_ALL
+            (term_filter, attr_filter, member_filter), rules=ldap.MATCH_ALL
         )
 
         scope = ldap.SCOPE_ONELEVEL
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index f26792a..1ffd795 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -212,6 +212,8 @@ class group_find(LDAPSearch):
     """
     Search for groups.
     """
+    member_attributes = ['member']
+
     msg_summary = ngettext(
         '%(count)d group matched', '%(count)d groups matched', 0
     )
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index 51d0583..2c2f1c7 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -123,7 +123,7 @@ class hostgroup_find(LDAPSearch):
     """
     Search for hostgroups.
     """
-
+    member_attributes = ['member']
     msg_summary = ngettext(
         '%(count)d hostgroup matched', '%(count)d hostgroups matched'
     )
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index e79aca2..a000c41 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -171,6 +171,7 @@ class netgroup_find(LDAPSearch):
     """
     Search for a netgroup.
     """
+    member_attributes = ['member', 'memberuser', 'memberhost']
     has_output_params = LDAPSearch.has_output_params + output_params
     msg_summary = ngettext(
         '%(count)d netgroup matched', '%(count)d netgroups matched'
diff --git a/ipalib/plugins/rolegroup.py b/ipalib/plugins/rolegroup.py
index e0b6fbc..af2fa6a 100644
--- a/ipalib/plugins/rolegroup.py
+++ b/ipalib/plugins/rolegroup.py
@@ -133,7 +133,7 @@ class rolegroup_find(LDAPSearch):
     """
     Search for rolegroups.
     """
-
+    member_attributes = ['member']
     msg_summary = ngettext(
         '%(count)d rolegroup matched', '%(count)d rolegroups matched'
     )
diff --git a/ipalib/plugins/taskgroup.py b/ipalib/plugins/taskgroup.py
index ba3f507..74d4c85 100644
--- a/ipalib/plugins/taskgroup.py
+++ b/ipalib/plugins/taskgroup.py
@@ -104,7 +104,7 @@ class taskgroup_find(LDAPSearch):
     """
     Search for taskgroups.
     """
-
+    member_attributes = ['member']
     msg_summary = ngettext(
         '%(count)d taskgroup matched', '%(count)d taskgroups matched'
     )
-- 
1.7.1.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes.

Reply via email to