Re: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes.

Mon, 20 Dec 2010 09:30:37 -0800 

On 12/20/2010 11:20 AM, Jan Zelený wrote:

Pavel Zuna<[email protected]>  wrote:

On 12/08/2010 08:30 PM, Rob Crittenden wrote:

Pavel Zůna wrote:

On 2010-11-30 04:06, Rob Crittenden wrote:

Pavel Zůna wrote:

LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.

Any class that extends LDAPSearch can benefit from this functionality.
This patch enables it for the following objects:
group, netgroup, rolegroup, hostgroup, taskgroup

Example:
ipa group-find --no-users=admin

Only direct members are taken into account, but if we need indirect
members as well - it's not a problem.

Ticket #288

Pavel

This works as advertised but I wonder what would happen if a huge list
of members was passed in to ignore. Is there a limit on the search
filter size (remember that the member will be translated into a full dn
so will quickly grow in size).

Should we impose a cofigurable limit on the # of members to be
excluded?

Is there a max search filter size and should we check that we haven't
exceeded that before doing a search?

rob

I tried it out with more than a 1000 users and was getting an unwilling
to perform error (search filter nested too deep).

After a little bit of investigation, I figured the filter was being
generated like this:

(&(&(!(a=v))(!(a2=v2))))

We were going deeper with each additional DN!

I updated the patch to generate the filter like this instead:

(!(|(a=v)(a2=v2)))

Tried it again with more than 1000 users (~55Kb) - it worked and wasn't
even slow.

Updated patch attached.

I also had to fix a bug in ldap2 filter generator, as a result this
patch depends on my patch number 43.

Pavel

You'll need to rebase this against master but otherwise ACK.

It might be a small optimization to de-dupe the no-users list but it
isn't a priority.

rob

Re-based patch attached.

Pavel


This hasn't been already pushed and the patch still applies against master.
Can someone push it so the ticket can be closed?

Jan

_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel


ACK, pushed to master

_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to