Hi,

the attached patches are an attempt to solve <https://fedorahosted.org/freeipa/ticket/3706> without actually removing ipausers.


I have done some basic timing on IPA with 10k users, the results are:

    ipa user-add: 18 s originally, 4 s with the patches
    ipa user-del: 54 s originally, 7 s with the patches

Other commands should be affected as well, especially del commands (deleting an entry triggers a originally unindexed search in the referint plugin) and member manipulation commands (full member list is no longer fetched and stored back when adding/removing members).

Patch 147 fixes <https://fedorahosted.org/freeipa/ticket/3743>.

Honza

--
Jan Cholasta
>From ddca9fbf73e985fb8a6e5ea43b0e2e68c957377b Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 25 Jun 2013 12:58:37 +0000
Subject: [PATCH 1/5] Use LDAP search instead of *group_show to check if a
 group exists.

https://fedorahosted.org/freeipa/ticket/3706
---
 ipalib/plugins/aci.py       | 9 +++++----
 ipalib/plugins/baseldap.py  | 5 +++++
 ipalib/plugins/config.py    | 2 +-
 ipalib/plugins/hostgroup.py | 4 ++--
 ipalib/plugins/netgroup.py  | 2 +-
 ipalib/plugins/user.py      | 2 +-
 6 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index dab209e..a7f85dd 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -252,7 +252,8 @@ def _make_aci(ldap, current, aciname, kw):
     elif group:
         # Not so friendly with groups. This will raise
         try:
-            entry_attrs = api.Command['group_show'](kw['group'])['result']
+            group_dn = api.Object['group'].get_dn_if_exists(kw['group'])
+            entry_attrs = {'dn': group_dn}
         except errors.NotFound:
             raise errors.NotFound(reason=_("Group '%s' does not exist") % kw['group'])
 
@@ -269,7 +270,7 @@ def _make_aci(ldap, current, aciname, kw):
             a.set_target_attr(kw['attrs'])
         if valid['memberof']:
             try:
-                api.Command['group_show'](kw['memberof'])
+                api.Object['group'].get_dn_if_exists(kw['memberof'])
             except errors.NotFound:
                 api.Object['group'].handle_not_found(kw['memberof'])
             groupdn = _group_from_memberof(kw['memberof'])
@@ -291,8 +292,8 @@ def _make_aci(ldap, current, aciname, kw):
             a.set_target(target)
         if valid['targetgroup']:
             # Purposely no try here so we'll raise a NotFound
-            entry_attrs = api.Command['group_show'](kw['targetgroup'])['result']
-            target = 'ldap:///%s' % entry_attrs['dn']
+            group_dn = api.Object['group'].get_dn_if_exists(kw['targetgroup'])
+            target = 'ldap:///%s' % group_dn
             a.set_target(target)
         if valid['subtree']:
             # See if the subtree is a full URI
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index bb0de98..1312107 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -493,6 +493,11 @@ class LDAPObject(Object):
         assert isinstance(parent_dn, DN)
         return parent_dn
 
+    def get_dn_if_exists(self, *keys, **kwargs):
+        dn = self.get_dn(*keys, **kwargs)
+        entry = self.backend.get_entry(dn, [''])
+        return entry.dn
+
     def get_primary_key_from_dn(self, dn):
         assert isinstance(dn, DN)
         try:
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 33eb174..b9cf050 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -213,7 +213,7 @@ class config_mod(LDAPUpdate):
         if 'ipadefaultprimarygroup' in entry_attrs:
             group=entry_attrs['ipadefaultprimarygroup']
             try:
-                api.Command['group_show'](group)
+                api.Object['group'].get_dn_if_exists(group)
             except errors.NotFound:
                 raise errors.NotFound(message=_("The group doesn't exist"))
         kw = {}
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index 9fb1029..bc10994 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -122,7 +122,7 @@ class hostgroup_add(LDAPCreate):
         assert isinstance(dn, DN)
         try:
             # check duplicity with hostgroups first to provide proper error
-            netgroup = api.Command['hostgroup_show'](keys[-1])
+            api.Object['hostgroup'].get_dn_if_exists(keys[-1])
             self.obj.handle_duplicate_entry(*keys)
         except errors.NotFound:
             pass
@@ -130,7 +130,7 @@ class hostgroup_add(LDAPCreate):
         try:
             # when enabled, a managed netgroup is created for every hostgroup
             # make sure that the netgroup can be created
-            netgroup = api.Command['netgroup_show'](keys[-1])
+            api.Object['netgroup'].get_dn_if_exists(keys[-1])
             raise errors.DuplicateEntry(message=unicode(_(\
                     u'netgroup with name "%s" already exists. ' \
                     u'Hostgroups and netgroups share a common namespace'\
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index a2cf442..84bc749 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -179,7 +179,7 @@ class netgroup_add(LDAPCreate):
             # when enabled, a managed netgroup is created for every hostgroup
             # make sure that we don't create a collision if the plugin is
             # (temporarily) disabled
-            netgroup = api.Command['hostgroup_show'](keys[-1])
+            api.Object['hostgroup'].get_dn_if_exists(keys[-1])
             raise errors.DuplicateEntry(message=unicode(self.msg_collision % keys[-1]))
         except errors.NotFound:
             pass
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 32fda68..4fd9421 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -451,7 +451,7 @@ class user_add(LDAPCreate):
                 # The Managed Entries plugin will allow a user to be created
                 # even if a group has a duplicate name. This would leave a user
                 # without a private group. Check for both the group and the user.
-                self.api.Command['group_show'](keys[-1])
+                self.api.Object['group'].get_dn_if_exists(keys[-1])
                 try:
                     self.api.Command['user_show'](keys[-1])
                     self.obj.handle_duplicate_entry(*keys)
-- 
1.8.2.1

>From 63a5142b4acd1734cba8bc39e20cc638c68f6932 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 25 Jun 2013 13:08:18 +0000
Subject: [PATCH 2/5] Use LDAP search instead of *group_show to check for a
 group objectclass.

https://fedorahosted.org/freeipa/ticket/3706
---
 ipalib/plugins/host.py      | 36 +++++++++++++++++++-----------------
 ipalib/plugins/hostgroup.py | 39 ++++++++++++++++++++-------------------
 ipalib/plugins/pwpolicy.py  |  3 ++-
 3 files changed, 41 insertions(+), 37 deletions(-)

diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index e615259..6be0694 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -364,22 +364,24 @@ class host(LDAPObject):
 
         return managed_hosts
 
-    def suppress_netgroup_memberof(self, entry_attrs):
+    def suppress_netgroup_memberof(self, ldap, entry_attrs):
         """
         We don't want to show managed netgroups so remove them from the
         memberofindirect list.
         """
         ng_container = DN(api.env.container_netgroup, api.env.basedn)
-        if 'memberofindirect' in entry_attrs:
-            for member in list(entry_attrs['memberofindirect']):
-                memberdn = DN(member)
-                if memberdn.endswith(ng_container):
-                    try:
-                        netgroup = api.Command['netgroup_show'](memberdn['cn'], all=True)['result']
-                        if self.has_objectclass(netgroup['objectclass'], 'mepmanagedentry'):
-                            entry_attrs['memberofindirect'].remove(member)
-                    except errors.NotFound:
-                        pass
+        for member in list(entry_attrs.get('memberofindirect', [])):
+            memberdn = DN(member)
+            if not memberdn.endswith(ng_container):
+                continue
+
+            filter = ldap.make_filter({'objectclass': 'mepmanagedentry'})
+            try:
+                ldap.get_entries(memberdn, ldap.SCOPE_BASE, filter, [''])
+            except errors.NotFound:
+                pass
+            else:
+                entry_attrs['memberofindirect'].remove(member)
 
 api.register(host)
 
@@ -753,7 +755,7 @@ class host_mod(LDAPUpdate):
         if options.get('all', False):
             entry_attrs['managing'] = self.obj.get_managed_hosts(dn)
 
-        self.obj.suppress_netgroup_memberof(entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
 
         convert_sshpubkey_post(ldap, dn, entry_attrs)
 
@@ -832,7 +834,7 @@ class host_find(LDAPSearch):
             set_certificate_attrs(entry_attrs)
             set_kerberos_attrs(entry_attrs, options)
             self.obj.get_password_attributes(ldap, dn, entry_attrs)
-            self.obj.suppress_netgroup_memberof(entry_attrs)
+            self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
             if entry_attrs['has_password']:
                 # If an OTP is set there is no keytab, at least not one
                 # fetched anywhere.
@@ -874,7 +876,7 @@ class host_show(LDAPRetrieve):
         if options.get('all', False):
             entry_attrs['managing'] = self.obj.get_managed_hosts(dn)
 
-        self.obj.suppress_netgroup_memberof(entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
 
         convert_sshpubkey_post(ldap, dn, entry_attrs)
 
@@ -987,7 +989,7 @@ class host_disable(LDAPQuery):
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-        self.obj.suppress_netgroup_memberof(entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
         return dn
 
 api.register(host_disable)
@@ -1001,7 +1003,7 @@ class host_add_managedby(LDAPAddMember):
 
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-        self.obj.suppress_netgroup_memberof(entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
         return (completed, dn)
 
 api.register(host_add_managedby)
@@ -1015,7 +1017,7 @@ class host_remove_managedby(LDAPRemoveMember):
 
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-        self.obj.suppress_netgroup_memberof(entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
         return (completed, dn)
 
 api.register(host_remove_managedby)
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index bc10994..8a49573 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -92,23 +92,24 @@ class hostgroup(LDAPObject):
         ),
     )
 
-    def suppress_netgroup_memberof(self, dn, entry_attrs):
+    def suppress_netgroup_memberof(self, ldap, dn, entry_attrs):
         """
         We don't want to show managed netgroups so remove them from the
         memberOf list.
         """
-        if 'memberof' in entry_attrs:
-            hgdn = DN(dn)
-            for member in list(entry_attrs['memberof']):
-                ngdn = DN(member)
-                if ngdn['cn'] == hgdn['cn']:
-                    try:
-                        netgroup = api.Command['netgroup_show'](ngdn['cn'], all=True)['result']
-                        if self.has_objectclass(netgroup['objectclass'], 'mepmanagedentry'):
-                            entry_attrs['memberof'].remove(member)
-                            return
-                    except errors.NotFound:
-                        pass
+        hgdn = DN(dn)
+        for member in list(entry_attrs.get('memberof', [])):
+            ngdn = DN(member)
+            if ngdn['cn'] != hgdn['cn']:
+                continue
+
+            filter = ldap.make_filter({'objectclass': 'mepmanagedentry'})
+            try:
+                ldap.get_entries(ngdn, ldap.SCOPE_BASE, filter, [''])
+            except errors.NotFound:
+                pass
+            else:
+                entry_attrs['memberof'].remove(member)
 
 api.register(hostgroup)
 
@@ -146,7 +147,7 @@ class hostgroup_add(LDAPCreate):
         # be sure to ignore it in memberOf
         newentry = wait_for_value(ldap, dn, 'objectclass', 'mepOriginEntry')
         entry_from_entry(entry_attrs, newentry)
-        self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
 
         return dn
 
@@ -169,7 +170,7 @@ class hostgroup_mod(LDAPUpdate):
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-        self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
         return dn
 
 api.register(hostgroup_mod)
@@ -188,7 +189,7 @@ class hostgroup_find(LDAPSearch):
             return truncated
         for entry in entries:
             (dn, entry_attrs) = entry
-            self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+            self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
         return truncated
 
 api.register(hostgroup_find)
@@ -199,7 +200,7 @@ class hostgroup_show(LDAPRetrieve):
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-        self.obj.suppress_netgroup_memberof( dn, entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
         return dn
 
 api.register(hostgroup_show)
@@ -210,7 +211,7 @@ class hostgroup_add_member(LDAPAddMember):
 
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-        self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
         return (completed, dn)
 
 api.register(hostgroup_add_member)
@@ -221,7 +222,7 @@ class hostgroup_remove_member(LDAPRemoveMember):
 
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-        self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+        self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
         return (completed, dn)
 
 api.register(hostgroup_remove_member)
diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py
index c92b268..9bbecf7 100644
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@@ -121,7 +121,8 @@ class cosentry_add(LDAPCreate):
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         assert isinstance(dn, DN)
         # check for existence of the group
-        result = self.api.Command.group_show(keys[-1], all=True)['result']
+        group_dn = self.api.Object.group.get_dn(keys[-1])
+        result = ldap.get_entry(group_dn, ['objectclass'])
         oc = map(lambda x:x.lower(),result['objectclass'])
         if 'mepmanagedentry' in oc:
             raise errors.ManagedPolicyError()
-- 
1.8.2.1

>From 91de2a8950e3ac09ee9ca17625769170fbf99b61 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 25 Jun 2013 13:10:36 +0000
Subject: [PATCH 3/5] Use LDAP modify operation directly to add/remove group
 members.

This prevents getting full member list from LDAP and putting it back later.

https://fedorahosted.org/freeipa/ticket/3706
---
 ipaserver/plugins/ldap2.py | 36 +++++++++++++-----------------------
 1 file changed, 13 insertions(+), 23 deletions(-)

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index b84271c..048e2c5 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -346,27 +346,23 @@ class ldap2(LDAPClient, CrudBackend):
         self.log.debug(
             "add_entry_to_group: dn=%s group_dn=%s member_attr=%s",
             dn, group_dn, member_attr)
-        # check if the entry exists
-        (dn, entry_attrs) = self.get_entry(dn, ['objectclass'])
 
-        # get group entry
-        (group_dn, group_entry_attrs) = self.get_entry(group_dn, [member_attr])
+        # check if the entry exists
+        entry = self.get_entry(dn, [''])
+        dn = entry.dn
 
-        self.log.debug(
-            "add_entry_to_group: group_entry_attrs=%s", group_entry_attrs)
         # check if we're not trying to add group into itself
         if dn == group_dn and not allow_same:
             raise errors.SameGroupError()
 
         # add dn to group entry's `member_attr` attribute
-        members = group_entry_attrs.get(member_attr, [])
-        members.append(dn)
-        group_entry_attrs[member_attr] = members
+        modlist = [(_ldap.MOD_ADD, member_attr, [dn])]
 
         # update group entry
         try:
-            self.update_entry(group_dn, group_entry_attrs)
-        except errors.EmptyModlist:
+            with self.error_handler():
+                self.conn.modify_s(group_dn, modlist)
+        except errors.DatabaseError:
             raise errors.AlreadyGroupMember()
 
     def remove_entry_from_group(self, dn, group_dn, member_attr='member'):
@@ -378,22 +374,16 @@ class ldap2(LDAPClient, CrudBackend):
         self.log.debug(
             "remove_entry_from_group: dn=%s group_dn=%s member_attr=%s",
             dn, group_dn, member_attr)
-        # get group entry
-        (group_dn, group_entry_attrs) = self.get_entry(group_dn, [member_attr])
 
-        self.log.debug(
-            "remove_entry_from_group: group_entry_attrs=%s", group_entry_attrs)
         # remove dn from group entry's `member_attr` attribute
-        members = group_entry_attrs.get(member_attr, [])
-        assert all([isinstance(x, DN) for x in members])
-        try:
-            members.remove(dn)
-        except ValueError:
-            raise errors.NotGroupMember()
-        group_entry_attrs[member_attr] = members
+        modlist = [(_ldap.MOD_DELETE, member_attr, [dn])]
 
         # update group entry
-        self.update_entry(group_dn, group_entry_attrs)
+        try:
+            with self.error_handler():
+                self.conn.modify_s(group_dn, modlist)
+        except errors.MidairCollision:
+            raise errors.NotGroupMember()
 
     def set_entry_active(self, dn, active):
         """Mark entry active/inactive."""
-- 
1.8.2.1

>From c6a95b9d9532aebe02ce11735a5e856d19bc6903 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 25 Jun 2013 13:16:40 +0000
Subject: [PATCH 4/5] Add missing substring indices for attributes managed by
 the referint plugin.

The referint plugin does a substring search on these attributes each time an
entry is deleted, which causes a noticable slowdown for large directories if
the attributes are not indexed.

https://fedorahosted.org/freeipa/ticket/3706
---
 install/share/indices.ldif        | 11 +++++++
 install/updates/20-indices.update | 65 +++++++++++++++++++--------------------
 2 files changed, 43 insertions(+), 33 deletions(-)

diff --git a/install/share/indices.ldif b/install/share/indices.ldif
index 1e1a5e9..4f5bbf9 100644
--- a/install/share/indices.ldif
+++ b/install/share/indices.ldif
@@ -42,6 +42,7 @@ cn:manager
 nsSystemIndex:false
 nsIndexType:eq
 nsIndexType:pres
+nsIndexType:sub
 
 dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
@@ -51,6 +52,7 @@ cn:secretary
 nsSystemIndex:false
 nsIndexType:eq
 nsIndexType:pres
+nsIndexType:sub
 
 dn: cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
@@ -120,6 +122,7 @@ ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: pres
+nsIndexType: sub
 
 dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
@@ -129,6 +132,7 @@ ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: pres
+nsIndexType: sub
 
 dn: cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
@@ -138,6 +142,7 @@ ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: pres
+nsIndexType: sub
 
 dn: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
@@ -147,6 +152,7 @@ ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: pres
+nsIndexType: sub
 
 dn: cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
@@ -156,6 +162,7 @@ ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: pres
+nsIndexType: sub
 
 dn: cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
@@ -165,6 +172,7 @@ ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: pres
+nsIndexType: sub
 
 dn: cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
@@ -174,6 +182,7 @@ ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: pres
+nsIndexType: sub
 
 dn: cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
@@ -183,6 +192,7 @@ ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: pres
+nsIndexType: sub
 
 dn: cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
@@ -192,6 +202,7 @@ ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: pres
+nsIndexType: sub
 
 dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index 323fb9c..4059381 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -12,33 +12,45 @@ default:ObjectClass: nsIndex
 default:nsSystemIndex: false
 default:nsIndexType: eq,pres
 
-dn: cn=memberof,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-default:cn: memberof
+dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: memberHost
 default:ObjectClass: top
 default:ObjectClass: nsIndex
 default:nsSystemIndex: false
-default:nsIndexType: eq
+only:nsIndexType: eq,pres,sub
 
-dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-default:cn: memberHost
+dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: memberUser
 default:ObjectClass: top
 default:ObjectClass: nsIndex
 default:nsSystemIndex: false
-default:nsIndexType: eq
+only:nsIndexType: eq,pres,sub
 
-dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-add:nsIndexType: pres
+dn: cn=member,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:nsIndexType: eq,sub
 
-dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-default:cn: memberUser
+dn: cn=uniquemember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:nsIndexType: eq,sub
+
+dn: cn=owner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:nsIndexType: eq,sub
+
+dn: cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:nsIndexType: eq,pres,sub
+
+dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:nsIndexType: eq,pres,sub
+
+dn: cn=seealso,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:nsIndexType: eq,sub
+
+dn: cn=memberof,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: memberof
 default:ObjectClass: top
 default:ObjectClass: nsIndex
 default:nsSystemIndex: false
 default:nsIndexType: eq
 
-dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-only: nsIndexType: eq,pres
-
 dn: cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 default:cn: fqdn
 default:ObjectClass: top
@@ -55,67 +67,54 @@ default:nsSystemIndex: false
 default:nsIndexType: eq
 default:nsIndexType: pres
 
-dn: cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-only: nsIndexType: eq,pres
-
-dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-only: nsIndexType: eq,pres
-
 dn: cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 default:cn: sourcehost
 default:ObjectClass: top
 default:ObjectClass: nsIndex
 default:nsSystemIndex: false
-default:nsIndexType: eq
-default:nsIndexType: pres
+only:nsIndexType: eq,pres,sub
 
 dn: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 default:cn: memberservice
 default:ObjectClass: top
 default:ObjectClass: nsIndex
 default:nsSystemIndex: false
-default:nsIndexType: eq
-default:nsIndexType: pres
+only:nsIndexType: eq,pres,sub
 
 dn: cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 default:cn: managedby
 default:ObjectClass: top
 default:ObjectClass: nsIndex
 default:nsSystemIndex: false
-default:nsIndexType: eq
-default:nsIndexType: pres
+only:nsIndexType: eq,pres,sub
 
 dn: cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 default:cn: memberallowcmd
 default:ObjectClass: top
 default:ObjectClass: nsIndex
 default:nsSystemIndex: false
-default:nsIndexType: eq
-default:nsIndexType: pres
+only:nsIndexType: eq,pres,sub
 
 dn: cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 default:cn: memberdenycmd
 default:ObjectClass: top
 default:ObjectClass: nsIndex
 default:nsSystemIndex: false
-default:nsIndexType: eq
-default:nsIndexType: pres
+only:nsIndexType: eq,pres,sub
 
 dn: cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 default:cn: ipasudorunas
 default:ObjectClass: top
 default:ObjectClass: nsIndex
 default:nsSystemIndex: false
-default:nsIndexType: eq
-default:nsIndexType: pres
+only:nsIndexType: eq,pres,sub
 
 dn: cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 default:cn: ipasudorunasgroup
 default:ObjectClass: top
 default:ObjectClass: nsIndex
 default:nsSystemIndex: false
-default:nsIndexType: eq
-default:nsIndexType: pres
+only:nsIndexType: eq,pres,sub
 
 dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 default:cn: automountkey
-- 
1.8.2.1

>From 8e95aaff2c23c2a900aa1b6c10debb3bb003b283 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 25 Jun 2013 13:19:01 +0000
Subject: [PATCH 5/5] Add missing equality index for ipaUniqueId.

https://fedorahosted.org/freeipa/ticket/3743
---
 install/share/indices.ldif        | 8 ++++++++
 install/updates/20-indices.update | 7 +++++++
 2 files changed, 15 insertions(+)

diff --git a/install/share/indices.ldif b/install/share/indices.ldif
index 4f5bbf9..ad678e0 100644
--- a/install/share/indices.ldif
+++ b/install/share/indices.ldif
@@ -219,3 +219,11 @@ ObjectClass: top
 ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
+
+dn: cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: ipauniqueid
+ObjectClass: top
+ObjectClass: nsIndex
+nsSystemIndex: false
+nsIndexType: eq
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index 4059381..b966a4f 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -129,3 +129,10 @@ default:ObjectClass: top
 default:ObjectClass: nsIndex
 default:nsSystemIndex: false
 default:nsIndexType: eq
+
+dn: cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: ipauniqueid
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+default:nsSystemIndex: false
+default:nsIndexType: eq
-- 
1.8.2.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to