On 06/27/2013 09:31 AM, Jan Cholasta wrote:
On 27.6.2013 17:23, Martin Kosek wrote:
Thanks for this effort!

I quickly went through the patches, they mostly look harmless. Except the

Subject: [PATCH 4/5] Add missing substring indices for attributes managed by
  the referint plugin.

AFAIK, sub index is a very expensive index - as we discussed offline - adding Rich to advise and confirm this. I think you added it because some plugin was doing substring/wildcard search when an LDAP entry was being deleted - did you identify which one it is? Because I would rather get rid of the bad search than
adding so many sub indices.

The search is hard-coded in the referint plugin, see <https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/referint/referint.c#n745>.

Not sure if it makes sense to do a wildcard/substr search here - please file a ticket with 389 to investigate.

sub index isn't necessarily a bad thing - in this case it may be more beneficial than harmful - if you have enough nsslapd-idlistscanlimit to hold the entire candidate list in a single id list without hurting performance (i.e. a list of 10000 entries is probably ok - a list of 1000000 entries is not)

Secondly, did you also check Web UI performance? I think we could noticeable improve user/group lists performance if we added a new (hidden) option to suppress loading membership information which could then be utilized by Web UI.
Adding Petr Vobornik to CC to consider this.

No, not yet.


Freeipa-devel mailing list

Reply via email to