How to test: 1) Add some nested membership relationships: $ ipa group-add --desc=foo group1 $ ipa group-add --desc=foo group2 $ ipa user-add --first=Foo --last=Bar foobar
$ ipa role-add-member helpdesk --groups=group2 $ ipa group-add-member group2 --groups=group1 $ ipa group-add-member group1 --users=foobar 2) Start receiving all SCOPE_SUBTREE (scope=2) searches in LDAP: # tail -f /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/access | grep SRCH | grep "scope=2" | grep -v krbprincipalaux 3) Do some -show commands to see the unnecessary SCOPE_SUBTREE (scope=2) searches we do to get memberships: $ ipa role-show helpdesk --all --raw $ ipa user-show foobar --all --raw etc. Martin
>From d57d915a8ab979961c44dbf4fba7f23063987c15 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Wed, 12 Oct 2011 09:36:24 +0200 Subject: [PATCH] Optimize member/memberof searches in LDAP When investigating if member/memberof attribute is direct/indirect we do a lot of LDAP SCOPE_SUBTREE searches when we actually search just for one item. Make sure we search only with SCOPE_BASE to improve the performance. One not so efficient iteration was also changed to list comprehension to speed things up a tiny bit. https://fedorahosted.org/freeipa/ticket/1885 --- ipaserver/plugins/ldap2.py | 9 ++++----- 1 files changed, 4 insertions(+), 5 deletions(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 382cc5760be09ba1633e258342a73adb931f70d4..6eeab56a836b6755889198bfc8041645629f45da 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -1001,7 +1001,8 @@ class ldap2(CrudBackend, Encoder): try: (result, truncated) = self.find_entries(searchfilter, attr_list, member, time_limit=time_limit, - size_limit=size_limit, normalize=normalize) + size_limit=size_limit, scope=_ldap.SCOPE_BASE, + normalize=normalize) results.append(list(result[0])) for m in result[0][1].get('member', []): # This member may contain other members, add it to our @@ -1066,18 +1067,16 @@ class ldap2(CrudBackend, Encoder): try: (result, truncated) = self.find_entries(searchfilter, attr_list, group, time_limit=time_limit,size_limit=size_limit, - normalize=normalize) + scope=_ldap.SCOPE_BASE, normalize=normalize) results.extend(list(result)) except errors.NotFound: pass direct = [] - indirect = [] # If there is an exception here, it is likely due to a failure in # referential integrity. All members should have corresponding # memberOf entries. - for m in memberof: - indirect.append(m.lower()) + indirect = [ m.lower() for m in memberof ] for r in results: direct.append(r[0]) try: -- 1.7.6.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
