Dne 11.6.2015 v 07:16 Fraser Tweedale napsal(a):
On Wed, Jun 10, 2015 at 03:50:22PM +0200, Martin Basti wrote:
On 10/06/15 13:57, Martin Kosek wrote:
On 06/10/2015 01:50 PM, Jan Cholasta wrote:
Dne 10.6.2015 v 13:44 Martin Basti napsal(a):
On 10/06/15 06:40, Fraser Tweedale wrote:
On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote:
On 09/06/15 08:58, Fraser Tweedale wrote:
On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote:
On 06/08/2015 03:31 AM, Fraser Tweedale wrote:
New patches attached.  Comments inline.
Thanks Fraser!

...
5)
Missing referint plugin configuration for attribute
'ipacaaclmembercertprofile'
Please add it into install/updates/25-referint.update (+ other
member
attributes if missing)

Added this.  There is a comment in 25-referint.update:

      # pres and eq indexes defined in 20-indices.update must be set
      # for all the attributes

Can you explain what is required here?  Is it just to add: I see
things for memberUser and memberHost in indices.ldif but nothing for
memberService.  Do I need to add to indices.ldif:

      dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm
database,cn=plugins,cn=config
      changetype: add
      cn: memberProfile
      ObjectClass: top
      ObjectClass: nsIndex
      nsSystemIndex: false
      nsIndexType: eq
      nsIndexType: pres
      nsIndexType: sub

, and similarly for memberCa?  Sorry I do not know much about LDAP
indexing.
AFAIR, yes. BTW, where does the "sub" index come from? It is quite
an expensive
index to use and I now cannot think of memberProfile search where
you would
need a substring...

Thanks,
Martin
Updated patch attached, which adds the indices.  (Also rebased).

There is a commit that seems to indicate that substring index is
needed, so I have included substring indices in this patchset.
Copied Honza in case he wants to comment.

      commit a10521a1dcf69960d6ce0bf5657180b709c297c0
      Author: Jan Cholasta <jchol...@redhat.com>
      Date:   Tue Jun 25 13:16:40 2013 +0000

          Add missing substring indices for attributes managed by the
referint plugin.

          The referint plugin does a substring search on these
attributes each time an
          entry is deleted, which causes a noticable slowdown for
large directories if
          the attributes are not indexed.

          https://fedorahosted.org/freeipa/ticket/3706

Cheers,
Fraser
ACK

Please send the upgrade patch ASAP :)

--
Martin Basti

Thank you for the ACK \o/

Since the patches have not been pushed, here is an updated patchset
which adds the upgrade behaviour.  There are no changes apart from
the additions to ipaserver/install/server/upgrade.py.

Cheers,
Fraser
ACK
NACK, the new OIDs are not registered.

BTW all new attribute names should have the "ipa" prefix. Also I would prefer
"CertProfile" instead of just "Profile" in certificate profile related names.
Please rename the attributes as follows:

     memberCa -> ipaMemberCa
     memberProfile -> ipaMemberCertProfile
     caCategory -> ipaCaCategory
     profileCategory -> ipaCertProfileCategory

Honza

+1. I see that other attributes from this feature use the ipa prefix already:

dn: cn=schema
attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued'
DESC 'Store certificates issued using this profile' EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' )
objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top
STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA
v4.2' )

Those OIDs should be BTW registered as well, if not already
OID registered.

Thanks!

Patches with updated names attached.
Can you Fraser check if I didn't break anything? :)

Everything LGTM.  Did some simple tessting.  There were conflicts;
rebased patches attached (no other changes).

Pushed to master: 947af1a037609fa42cbfd794301d5a5c4061c81b

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to