On 12/20/2010 11:20 AM, Jan Zelený wrote:
Pavel Zuna<pz...@redhat.com>  wrote:
On 12/08/2010 08:30 PM, Rob Crittenden wrote:
Pavel Zůna wrote:
On 2010-11-30 04:06, Rob Crittenden wrote:
Pavel Zůna wrote:
LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.

Any class that extends LDAPSearch can benefit from this functionality.
This patch enables it for the following objects:
group, netgroup, rolegroup, hostgroup, taskgroup

ipa group-find --no-users=admin

Only direct members are taken into account, but if we need indirect
members as well - it's not a problem.

Ticket #288

This works as advertised but I wonder what would happen if a huge list
of members was passed in to ignore. Is there a limit on the search
filter size (remember that the member will be translated into a full dn
so will quickly grow in size).

Should we impose a cofigurable limit on the # of members to be

Is there a max search filter size and should we check that we haven't
exceeded that before doing a search?

I tried it out with more than a 1000 users and was getting an unwilling
to perform error (search filter nested too deep).

After a little bit of investigation, I figured the filter was being
generated like this:


We were going deeper with each additional DN!

I updated the patch to generate the filter like this instead:


Tried it again with more than 1000 users (~55Kb) - it worked and wasn't
even slow.

Updated patch attached.

I also had to fix a bug in ldap2 filter generator, as a result this
patch depends on my patch number 43.

You'll need to rebase this against master but otherwise ACK.

It might be a small optimization to de-dupe the no-users list but it
isn't a priority.

Re-based patch attached.


This hasn't been already pushed and the patch still applies against master.
Can someone push it so the ticket can be closed?


Freeipa-devel mailing list

ACK, pushed to master

Freeipa-devel mailing list

Reply via email to