Martin Kosek wrote:
How to test:

1) Add some nested membership relationships:
$ ipa group-add --desc=foo group1
$ ipa group-add --desc=foo group2
$ ipa user-add --first=Foo --last=Bar foobar

$ ipa role-add-member helpdesk --groups=group2
$ ipa group-add-member group2 --groups=group1
$ ipa group-add-member group1 --users=foobar

2) Start receiving all SCOPE_SUBTREE (scope=2) searches in LDAP:
# tail -f /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/access | grep SRCH | grep 
"scope=2" | grep -v krbprincipalaux

3) Do some -show commands to see the unnecessary SCOPE_SUBTREE (scope=2)
searches we do to get memberships:

$ ipa role-show helpdesk --all --raw
$ ipa user-show foobar --all --raw


ACK, pushed to master and ipa-2-1


Freeipa-devel mailing list

Reply via email to