These 2 patches significantly limit the number of unindexed LDAP searches we do in IPA. I used our unit test suite as a good source of different LDAP searches run by our command suite.
Most of the remaining unindexed searches are produced either by our general term search ("ipa service-find TERM") which hit every object parameter and DNS commands (idnsname is not indexed yet). I am thinking about indexing about idnsName as well... Martin
From 96506ba2fbe2445def86faef466b8b90b83da35f Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Tue, 25 Sep 2012 17:16:20 +0200 Subject: [PATCH 1/2] Index ipakrbprincipalalias and ipaautomountkey attributes An unindexed search for ipakrbprincipalalias is fired for every ipa command (and other authentication events) which would degrade IPA server performance if not indexed. ipaautomountkey unindexed searches are hit when new key entries are being added. Add both indexes to new and updated IPA installs. https://fedorahosted.org/freeipa/ticket/3020 --- install/share/indices.ldif | 16 ++++++++++++++++ install/updates/20-indices.update | 14 ++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/install/share/indices.ldif b/install/share/indices.ldif index 59936585cd63ec264a80d90792e1b49307da7bfa..1e1a5e9c790eb967b32bd712be0a881c480151c6 100644 --- a/install/share/indices.ldif +++ b/install/share/indices.ldif @@ -192,3 +192,19 @@ ObjectClass: nsIndex nsSystemIndex: false nsIndexType: eq nsIndexType: pres + +dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +changetype: add +cn: automountkey +ObjectClass: top +ObjectClass: nsIndex +nsSystemIndex: false +nsIndexType: eq + +dn: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +changetype: add +cn: ipakrbprincipalalias +ObjectClass: top +ObjectClass: nsIndex +nsSystemIndex: false +nsIndexType: eq diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index 80ac66c8a17dc59de39746385b551e0c3f9af886..323fb9cc8fa97be5b88666bcee176c43129e0411 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -116,3 +116,17 @@ default:ObjectClass: nsIndex default:nsSystemIndex: false default:nsIndexType: eq default:nsIndexType: pres + +dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: automountkey +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +default:nsIndexType: eq + +dn: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ipakrbprincipalalias +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +default:nsIndexType: eq -- 1.7.11.4
From 7b4c5d0d5e9032ce466f4df1498ac916df609c71 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Tue, 25 Sep 2012 17:19:44 +0200 Subject: [PATCH 2/2] Do not produce unindexed search on every DEL command Every <plugin>-del command executes an "(objectclass=*)" search to find out if a deleted node has any child nodes which would need to be deleted first. This produces an unindexed search for every del command which biases access log audits and may affect performance too. Since most of the *-del commands delete just a single object (user, group, RBAC objects, SUDO or HBAC objects, ...) and not a tree (automount location, dns zone, ...) run a single entry delete first and only revert to subtree search&delete when that fails. --- ipalib/plugins/baseldap.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 14a46f2d0344c4276ec98091314b15e6e552ed77..62e9d2978e8166c7341f8cfb07e7a9af90605c9d 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -1424,7 +1424,13 @@ class LDAPDelete(LDAPMultiQuery): except errors.NotFound: self.obj.handle_not_found(*nkeys) - delete_subtree(dn) + try: + self._exc_wrapper(nkeys, options, ldap.delete_entry)(dn, normalize=self.obj.normalize_dn) + except errors.NotFound: + self.obj.handle_not_found(*nkeys) + except errors.DatabaseError: + # this entry may not be a leaf entry, try to delete all child nodes + delete_subtree(dn) for callback in self.get_callbacks('post'): result = callback(self, ldap, dn, *nkeys, **options) -- 1.7.11.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel