Hi,
the attached patches are an attempt to solve
<https://fedorahosted.org/freeipa/ticket/3706> without actually removing
ipausers.
I have done some basic timing on IPA with 10k users, the results are:
ipa user-add: 18 s originally, 4 s with the patches
ipa user-del: 54 s originally, 7 s with the patches
Other commands should be affected as well, especially del commands
(deleting an entry triggers a originally unindexed search in the
referint plugin) and member manipulation commands (full member list is
no longer fetched and stored back when adding/removing members).
Patch 147 fixes <https://fedorahosted.org/freeipa/ticket/3743>.
Honza
--
Jan Cholasta
>From ddca9fbf73e985fb8a6e5ea43b0e2e68c957377b Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 25 Jun 2013 12:58:37 +0000
Subject: [PATCH 1/5] Use LDAP search instead of *group_show to check if a
group exists.
https://fedorahosted.org/freeipa/ticket/3706
---
ipalib/plugins/aci.py | 9 +++++----
ipalib/plugins/baseldap.py | 5 +++++
ipalib/plugins/config.py | 2 +-
ipalib/plugins/hostgroup.py | 4 ++--
ipalib/plugins/netgroup.py | 2 +-
ipalib/plugins/user.py | 2 +-
6 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index dab209e..a7f85dd 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -252,7 +252,8 @@ def _make_aci(ldap, current, aciname, kw):
elif group:
# Not so friendly with groups. This will raise
try:
- entry_attrs = api.Command['group_show'](kw['group'])['result']
+ group_dn = api.Object['group'].get_dn_if_exists(kw['group'])
+ entry_attrs = {'dn': group_dn}
except errors.NotFound:
raise errors.NotFound(reason=_("Group '%s' does not exist") % kw['group'])
@@ -269,7 +270,7 @@ def _make_aci(ldap, current, aciname, kw):
a.set_target_attr(kw['attrs'])
if valid['memberof']:
try:
- api.Command['group_show'](kw['memberof'])
+ api.Object['group'].get_dn_if_exists(kw['memberof'])
except errors.NotFound:
api.Object['group'].handle_not_found(kw['memberof'])
groupdn = _group_from_memberof(kw['memberof'])
@@ -291,8 +292,8 @@ def _make_aci(ldap, current, aciname, kw):
a.set_target(target)
if valid['targetgroup']:
# Purposely no try here so we'll raise a NotFound
- entry_attrs = api.Command['group_show'](kw['targetgroup'])['result']
- target = 'ldap:///%s' % entry_attrs['dn']
+ group_dn = api.Object['group'].get_dn_if_exists(kw['targetgroup'])
+ target = 'ldap:///%s' % group_dn
a.set_target(target)
if valid['subtree']:
# See if the subtree is a full URI
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index bb0de98..1312107 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -493,6 +493,11 @@ class LDAPObject(Object):
assert isinstance(parent_dn, DN)
return parent_dn
+ def get_dn_if_exists(self, *keys, **kwargs):
+ dn = self.get_dn(*keys, **kwargs)
+ entry = self.backend.get_entry(dn, [''])
+ return entry.dn
+
def get_primary_key_from_dn(self, dn):
assert isinstance(dn, DN)
try:
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 33eb174..b9cf050 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -213,7 +213,7 @@ class config_mod(LDAPUpdate):
if 'ipadefaultprimarygroup' in entry_attrs:
group=entry_attrs['ipadefaultprimarygroup']
try:
- api.Command['group_show'](group)
+ api.Object['group'].get_dn_if_exists(group)
except errors.NotFound:
raise errors.NotFound(message=_("The group doesn't exist"))
kw = {}
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index 9fb1029..bc10994 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -122,7 +122,7 @@ class hostgroup_add(LDAPCreate):
assert isinstance(dn, DN)
try:
# check duplicity with hostgroups first to provide proper error
- netgroup = api.Command['hostgroup_show'](keys[-1])
+ api.Object['hostgroup'].get_dn_if_exists(keys[-1])
self.obj.handle_duplicate_entry(*keys)
except errors.NotFound:
pass
@@ -130,7 +130,7 @@ class hostgroup_add(LDAPCreate):
try:
# when enabled, a managed netgroup is created for every hostgroup
# make sure that the netgroup can be created
- netgroup = api.Command['netgroup_show'](keys[-1])
+ api.Object['netgroup'].get_dn_if_exists(keys[-1])
raise errors.DuplicateEntry(message=unicode(_(\
u'netgroup with name "%s" already exists. ' \
u'Hostgroups and netgroups share a common namespace'\
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index a2cf442..84bc749 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -179,7 +179,7 @@ class netgroup_add(LDAPCreate):
# when enabled, a managed netgroup is created for every hostgroup
# make sure that we don't create a collision if the plugin is
# (temporarily) disabled
- netgroup = api.Command['hostgroup_show'](keys[-1])
+ api.Object['hostgroup'].get_dn_if_exists(keys[-1])
raise errors.DuplicateEntry(message=unicode(self.msg_collision % keys[-1]))
except errors.NotFound:
pass
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 32fda68..4fd9421 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -451,7 +451,7 @@ class user_add(LDAPCreate):
# The Managed Entries plugin will allow a user to be created
# even if a group has a duplicate name. This would leave a user
# without a private group. Check for both the group and the user.
- self.api.Command['group_show'](keys[-1])
+ self.api.Object['group'].get_dn_if_exists(keys[-1])
try:
self.api.Command['user_show'](keys[-1])
self.obj.handle_duplicate_entry(*keys)
--
1.8.2.1
>From 63a5142b4acd1734cba8bc39e20cc638c68f6932 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 25 Jun 2013 13:08:18 +0000
Subject: [PATCH 2/5] Use LDAP search instead of *group_show to check for a
group objectclass.
https://fedorahosted.org/freeipa/ticket/3706
---
ipalib/plugins/host.py | 36 +++++++++++++++++++-----------------
ipalib/plugins/hostgroup.py | 39 ++++++++++++++++++++-------------------
ipalib/plugins/pwpolicy.py | 3 ++-
3 files changed, 41 insertions(+), 37 deletions(-)
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index e615259..6be0694 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -364,22 +364,24 @@ class host(LDAPObject):
return managed_hosts
- def suppress_netgroup_memberof(self, entry_attrs):
+ def suppress_netgroup_memberof(self, ldap, entry_attrs):
"""
We don't want to show managed netgroups so remove them from the
memberofindirect list.
"""
ng_container = DN(api.env.container_netgroup, api.env.basedn)
- if 'memberofindirect' in entry_attrs:
- for member in list(entry_attrs['memberofindirect']):
- memberdn = DN(member)
- if memberdn.endswith(ng_container):
- try:
- netgroup = api.Command['netgroup_show'](memberdn['cn'], all=True)['result']
- if self.has_objectclass(netgroup['objectclass'], 'mepmanagedentry'):
- entry_attrs['memberofindirect'].remove(member)
- except errors.NotFound:
- pass
+ for member in list(entry_attrs.get('memberofindirect', [])):
+ memberdn = DN(member)
+ if not memberdn.endswith(ng_container):
+ continue
+
+ filter = ldap.make_filter({'objectclass': 'mepmanagedentry'})
+ try:
+ ldap.get_entries(memberdn, ldap.SCOPE_BASE, filter, [''])
+ except errors.NotFound:
+ pass
+ else:
+ entry_attrs['memberofindirect'].remove(member)
api.register(host)
@@ -753,7 +755,7 @@ class host_mod(LDAPUpdate):
if options.get('all', False):
entry_attrs['managing'] = self.obj.get_managed_hosts(dn)
- self.obj.suppress_netgroup_memberof(entry_attrs)
+ self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
convert_sshpubkey_post(ldap, dn, entry_attrs)
@@ -832,7 +834,7 @@ class host_find(LDAPSearch):
set_certificate_attrs(entry_attrs)
set_kerberos_attrs(entry_attrs, options)
self.obj.get_password_attributes(ldap, dn, entry_attrs)
- self.obj.suppress_netgroup_memberof(entry_attrs)
+ self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
if entry_attrs['has_password']:
# If an OTP is set there is no keytab, at least not one
# fetched anywhere.
@@ -874,7 +876,7 @@ class host_show(LDAPRetrieve):
if options.get('all', False):
entry_attrs['managing'] = self.obj.get_managed_hosts(dn)
- self.obj.suppress_netgroup_memberof(entry_attrs)
+ self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
convert_sshpubkey_post(ldap, dn, entry_attrs)
@@ -987,7 +989,7 @@ class host_disable(LDAPQuery):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
- self.obj.suppress_netgroup_memberof(entry_attrs)
+ self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
return dn
api.register(host_disable)
@@ -1001,7 +1003,7 @@ class host_add_managedby(LDAPAddMember):
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
- self.obj.suppress_netgroup_memberof(entry_attrs)
+ self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
return (completed, dn)
api.register(host_add_managedby)
@@ -1015,7 +1017,7 @@ class host_remove_managedby(LDAPRemoveMember):
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
- self.obj.suppress_netgroup_memberof(entry_attrs)
+ self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
return (completed, dn)
api.register(host_remove_managedby)
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index bc10994..8a49573 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -92,23 +92,24 @@ class hostgroup(LDAPObject):
),
)
- def suppress_netgroup_memberof(self, dn, entry_attrs):
+ def suppress_netgroup_memberof(self, ldap, dn, entry_attrs):
"""
We don't want to show managed netgroups so remove them from the
memberOf list.
"""
- if 'memberof' in entry_attrs:
- hgdn = DN(dn)
- for member in list(entry_attrs['memberof']):
- ngdn = DN(member)
- if ngdn['cn'] == hgdn['cn']:
- try:
- netgroup = api.Command['netgroup_show'](ngdn['cn'], all=True)['result']
- if self.has_objectclass(netgroup['objectclass'], 'mepmanagedentry'):
- entry_attrs['memberof'].remove(member)
- return
- except errors.NotFound:
- pass
+ hgdn = DN(dn)
+ for member in list(entry_attrs.get('memberof', [])):
+ ngdn = DN(member)
+ if ngdn['cn'] != hgdn['cn']:
+ continue
+
+ filter = ldap.make_filter({'objectclass': 'mepmanagedentry'})
+ try:
+ ldap.get_entries(ngdn, ldap.SCOPE_BASE, filter, [''])
+ except errors.NotFound:
+ pass
+ else:
+ entry_attrs['memberof'].remove(member)
api.register(hostgroup)
@@ -146,7 +147,7 @@ class hostgroup_add(LDAPCreate):
# be sure to ignore it in memberOf
newentry = wait_for_value(ldap, dn, 'objectclass', 'mepOriginEntry')
entry_from_entry(entry_attrs, newentry)
- self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+ self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
return dn
@@ -169,7 +170,7 @@ class hostgroup_mod(LDAPUpdate):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
- self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+ self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
return dn
api.register(hostgroup_mod)
@@ -188,7 +189,7 @@ class hostgroup_find(LDAPSearch):
return truncated
for entry in entries:
(dn, entry_attrs) = entry
- self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+ self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
return truncated
api.register(hostgroup_find)
@@ -199,7 +200,7 @@ class hostgroup_show(LDAPRetrieve):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
- self.obj.suppress_netgroup_memberof( dn, entry_attrs)
+ self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
return dn
api.register(hostgroup_show)
@@ -210,7 +211,7 @@ class hostgroup_add_member(LDAPAddMember):
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
- self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+ self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
return (completed, dn)
api.register(hostgroup_add_member)
@@ -221,7 +222,7 @@ class hostgroup_remove_member(LDAPRemoveMember):
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
- self.obj.suppress_netgroup_memberof(dn, entry_attrs)
+ self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
return (completed, dn)
api.register(hostgroup_remove_member)
diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py
index c92b268..9bbecf7 100644
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@@ -121,7 +121,8 @@ class cosentry_add(LDAPCreate):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
# check for existence of the group
- result = self.api.Command.group_show(keys[-1], all=True)['result']
+ group_dn = self.api.Object.group.get_dn(keys[-1])
+ result = ldap.get_entry(group_dn, ['objectclass'])
oc = map(lambda x:x.lower(),result['objectclass'])
if 'mepmanagedentry' in oc:
raise errors.ManagedPolicyError()
--
1.8.2.1
>From 91de2a8950e3ac09ee9ca17625769170fbf99b61 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 25 Jun 2013 13:10:36 +0000
Subject: [PATCH 3/5] Use LDAP modify operation directly to add/remove group
members.
This prevents getting full member list from LDAP and putting it back later.
https://fedorahosted.org/freeipa/ticket/3706
---
ipaserver/plugins/ldap2.py | 36 +++++++++++++-----------------------
1 file changed, 13 insertions(+), 23 deletions(-)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index b84271c..048e2c5 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -346,27 +346,23 @@ class ldap2(LDAPClient, CrudBackend):
self.log.debug(
"add_entry_to_group: dn=%s group_dn=%s member_attr=%s",
dn, group_dn, member_attr)
- # check if the entry exists
- (dn, entry_attrs) = self.get_entry(dn, ['objectclass'])
- # get group entry
- (group_dn, group_entry_attrs) = self.get_entry(group_dn, [member_attr])
+ # check if the entry exists
+ entry = self.get_entry(dn, [''])
+ dn = entry.dn
- self.log.debug(
- "add_entry_to_group: group_entry_attrs=%s", group_entry_attrs)
# check if we're not trying to add group into itself
if dn == group_dn and not allow_same:
raise errors.SameGroupError()
# add dn to group entry's `member_attr` attribute
- members = group_entry_attrs.get(member_attr, [])
- members.append(dn)
- group_entry_attrs[member_attr] = members
+ modlist = [(_ldap.MOD_ADD, member_attr, [dn])]
# update group entry
try:
- self.update_entry(group_dn, group_entry_attrs)
- except errors.EmptyModlist:
+ with self.error_handler():
+ self.conn.modify_s(group_dn, modlist)
+ except errors.DatabaseError:
raise errors.AlreadyGroupMember()
def remove_entry_from_group(self, dn, group_dn, member_attr='member'):
@@ -378,22 +374,16 @@ class ldap2(LDAPClient, CrudBackend):
self.log.debug(
"remove_entry_from_group: dn=%s group_dn=%s member_attr=%s",
dn, group_dn, member_attr)
- # get group entry
- (group_dn, group_entry_attrs) = self.get_entry(group_dn, [member_attr])
- self.log.debug(
- "remove_entry_from_group: group_entry_attrs=%s", group_entry_attrs)
# remove dn from group entry's `member_attr` attribute
- members = group_entry_attrs.get(member_attr, [])
- assert all([isinstance(x, DN) for x in members])
- try:
- members.remove(dn)
- except ValueError:
- raise errors.NotGroupMember()
- group_entry_attrs[member_attr] = members
+ modlist = [(_ldap.MOD_DELETE, member_attr, [dn])]
# update group entry
- self.update_entry(group_dn, group_entry_attrs)
+ try:
+ with self.error_handler():
+ self.conn.modify_s(group_dn, modlist)
+ except errors.MidairCollision:
+ raise errors.NotGroupMember()
def set_entry_active(self, dn, active):
"""Mark entry active/inactive."""
--
1.8.2.1
>From c6a95b9d9532aebe02ce11735a5e856d19bc6903 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 25 Jun 2013 13:16:40 +0000
Subject: [PATCH 4/5] Add missing substring indices for attributes managed by
the referint plugin.
The referint plugin does a substring search on these attributes each time an
entry is deleted, which causes a noticable slowdown for large directories if
the attributes are not indexed.
https://fedorahosted.org/freeipa/ticket/3706
---
install/share/indices.ldif | 11 +++++++
install/updates/20-indices.update | 65 +++++++++++++++++++--------------------
2 files changed, 43 insertions(+), 33 deletions(-)
diff --git a/install/share/indices.ldif b/install/share/indices.ldif
index 1e1a5e9..4f5bbf9 100644
--- a/install/share/indices.ldif
+++ b/install/share/indices.ldif
@@ -42,6 +42,7 @@ cn:manager
nsSystemIndex:false
nsIndexType:eq
nsIndexType:pres
+nsIndexType:sub
dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
@@ -51,6 +52,7 @@ cn:secretary
nsSystemIndex:false
nsIndexType:eq
nsIndexType:pres
+nsIndexType:sub
dn: cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
@@ -120,6 +122,7 @@ ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
+nsIndexType: sub
dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
@@ -129,6 +132,7 @@ ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
+nsIndexType: sub
dn: cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
@@ -138,6 +142,7 @@ ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
+nsIndexType: sub
dn: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
@@ -147,6 +152,7 @@ ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
+nsIndexType: sub
dn: cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
@@ -156,6 +162,7 @@ ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
+nsIndexType: sub
dn: cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
@@ -165,6 +172,7 @@ ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
+nsIndexType: sub
dn: cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
@@ -174,6 +182,7 @@ ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
+nsIndexType: sub
dn: cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
@@ -183,6 +192,7 @@ ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
+nsIndexType: sub
dn: cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
@@ -192,6 +202,7 @@ ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
+nsIndexType: sub
dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index 323fb9c..4059381 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -12,33 +12,45 @@ default:ObjectClass: nsIndex
default:nsSystemIndex: false
default:nsIndexType: eq,pres
-dn: cn=memberof,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-default:cn: memberof
+dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: memberHost
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
-default:nsIndexType: eq
+only:nsIndexType: eq,pres,sub
-dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-default:cn: memberHost
+dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: memberUser
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
-default:nsIndexType: eq
+only:nsIndexType: eq,pres,sub
-dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-add:nsIndexType: pres
+dn: cn=member,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:nsIndexType: eq,sub
-dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-default:cn: memberUser
+dn: cn=uniquemember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:nsIndexType: eq,sub
+
+dn: cn=owner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:nsIndexType: eq,sub
+
+dn: cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:nsIndexType: eq,pres,sub
+
+dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:nsIndexType: eq,pres,sub
+
+dn: cn=seealso,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:nsIndexType: eq,sub
+
+dn: cn=memberof,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: memberof
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
default:nsIndexType: eq
-dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-only: nsIndexType: eq,pres
-
dn: cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: fqdn
default:ObjectClass: top
@@ -55,67 +67,54 @@ default:nsSystemIndex: false
default:nsIndexType: eq
default:nsIndexType: pres
-dn: cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-only: nsIndexType: eq,pres
-
-dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-only: nsIndexType: eq,pres
-
dn: cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: sourcehost
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
-default:nsIndexType: eq
-default:nsIndexType: pres
+only:nsIndexType: eq,pres,sub
dn: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: memberservice
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
-default:nsIndexType: eq
-default:nsIndexType: pres
+only:nsIndexType: eq,pres,sub
dn: cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: managedby
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
-default:nsIndexType: eq
-default:nsIndexType: pres
+only:nsIndexType: eq,pres,sub
dn: cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: memberallowcmd
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
-default:nsIndexType: eq
-default:nsIndexType: pres
+only:nsIndexType: eq,pres,sub
dn: cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: memberdenycmd
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
-default:nsIndexType: eq
-default:nsIndexType: pres
+only:nsIndexType: eq,pres,sub
dn: cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ipasudorunas
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
-default:nsIndexType: eq
-default:nsIndexType: pres
+only:nsIndexType: eq,pres,sub
dn: cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ipasudorunasgroup
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
-default:nsIndexType: eq
-default:nsIndexType: pres
+only:nsIndexType: eq,pres,sub
dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: automountkey
--
1.8.2.1
>From 8e95aaff2c23c2a900aa1b6c10debb3bb003b283 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 25 Jun 2013 13:19:01 +0000
Subject: [PATCH 5/5] Add missing equality index for ipaUniqueId.
https://fedorahosted.org/freeipa/ticket/3743
---
install/share/indices.ldif | 8 ++++++++
install/updates/20-indices.update | 7 +++++++
2 files changed, 15 insertions(+)
diff --git a/install/share/indices.ldif b/install/share/indices.ldif
index 4f5bbf9..ad678e0 100644
--- a/install/share/indices.ldif
+++ b/install/share/indices.ldif
@@ -219,3 +219,11 @@ ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
+
+dn: cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: ipauniqueid
+ObjectClass: top
+ObjectClass: nsIndex
+nsSystemIndex: false
+nsIndexType: eq
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index 4059381..b966a4f 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -129,3 +129,10 @@ default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
default:nsIndexType: eq
+
+dn: cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: ipauniqueid
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+default:nsSystemIndex: false
+default:nsIndexType: eq
--
1.8.2.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
