Hello all,

I would like to discuss the way how we should improve the speed of user-find commands (and other commands too if possible):


0)
Do not do extra search for ipasshpubkey. This is clear, patch posted for review.
https://fedorahosted.org/freeipa/ticket/3376

commands: user, stageuser, host, idview

1)
make --no-members option visible in CLI
https://fedorahosted.org/freeipa/ticket/4995

I don't think we should implement also --no-indirect-members, I think that this kind of granularity is not needed.
If --no-members is used, then indirect members will be ignored too.

commands: all which use members

2)
Limit the amount of searches for memberof[indirect] (group, netgroup, role, hbacrule, sudorule) and search for each dn only once in find commands.

We can have configurable option in default.conf (for example memberof_search_limit=100 (0 unlimited)). Find commands will get members only for specified amount and if this limit is exceeded a warning message is shown. I do not like this idea much, I think it should be all or nothing, I prefer to not do this.

However I like the idea of temporary caching inside find commands, where each memberof DN is resolved just once and results are cached in a map and reused in current context of command. This should be improvement mainly for indirect searches, but cache should be faster for direct members than doing internal calls of framework objects. This part is backward compatible, the first part is not.

https://fedorahosted.org/freeipa/ticket/5282

commands: user-find, stageuser-find, possibly all find commands

3)
Remove userPassword, krbPrincipalKey from search results
This change is not backward compatible, can we do this?

https://fedorahosted.org/freeipa/ticket/5281

commands: user-find

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to