Hello all,

I would like to discuss the way how we should improve the speed of user-find commands (and other commands too if possible):

Do not do extra search for ipasshpubkey. This is clear, patch posted for review.

commands: user, stageuser, host, idview

make --no-members option visible in CLI

I don't think we should implement also --no-indirect-members, I think that this kind of granularity is not needed.
If --no-members is used, then indirect members will be ignored too.

commands: all which use members

Limit the amount of searches for memberof[indirect] (group, netgroup, role, hbacrule, sudorule) and search for each dn only once in find commands.

We can have configurable option in default.conf (for example memberof_search_limit=100 (0 unlimited)). Find commands will get members only for specified amount and if this limit is exceeded a warning message is shown. I do not like this idea much, I think it should be all or nothing, I prefer to not do this.

However I like the idea of temporary caching inside find commands, where each memberof DN is resolved just once and results are cached in a map and reused in current context of command. This should be improvement mainly for indirect searches, but cache should be faster for direct members than doing internal calls of framework objects. This part is backward compatible, the first part is not.


commands: user-find, stageuser-find, possibly all find commands

Remove userPassword, krbPrincipalKey from search results
This change is not backward compatible, can we do this?


commands: user-find


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to