Dne 9.4.2015 v 13:56 Petr Vobornik napsal(a):
On 04/08/2015 10:21 AM, Jan Cholasta wrote:

Dne 31.3.2015 v 12:11 Petr Vobornik napsal(a):
the old implementation tried to get all entries which are member of
group. That means also user. User can't have any members therefore this
costly processing was unnecessary.

New implementation reduces the search only to entries which can have

Also page size was removed to avoid paging by small pages(default size:
100) which is very slow for many members.


Useful to test with #809

1) To search for entries with members, you should search for entries
with the member attribute set ('(member=*)'), not for entries with some
arbitrary object class.

Replaced, new presence index added

2) I don't like how the search in get_memberindirect is limited to an
arbitrary hard-coded subtree. You should go through the object's
attribute_members to figure out which subtrees to search.

The subtree search was removed.

3) Since memberindirect and memberofindirect are not real attributes,
you must define their syntax in ipaldap before you cat set them using
.raw[], otherwise they will be decoded to wrong type.


4) The processing of memberof should be done even when memberofindirect
is not requested, otherwise its value will depend on whether
memberofindirect was requested or not.

True, but it's the same behavior as before. Could be changed in other

OK. Should we file a ticket?

5) I would prefer if all membership processing
(.convert_attribute_members() and .get_indirect_members()) was done in a
single LDAPObject method.

Now, as before, get_indirect_members is called before post callbacks and
convert_attribute_members after. If it should be combined, it should be
done separately.

OK, but at least move get_indirect_members to LDAPObject.


Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to