Hello all,
I would like to discuss the way how we should improve the speed of
user-find commands (and other commands too if possible):
0)
Do not do extra search for ipasshpubkey. This is clear, patch posted for
review.
https://fedorahosted.org/freeipa/ticket/3376
commands: user, stageuser, host, idview
1)
make --no-members option visible in CLI
https://fedorahosted.org/freeipa/ticket/4995
I don't think we should implement also --no-indirect-members, I think
that this kind of granularity is not needed.
If --no-members is used, then indirect members will be ignored too.
commands: all which use members
2)
Limit the amount of searches for memberof[indirect] (group, netgroup,
role, hbacrule, sudorule) and search for each dn only once in find commands.
We can have configurable option in default.conf (for example
memberof_search_limit=100 (0 unlimited)). Find commands will get members
only for specified amount and if this limit is exceeded a warning
message is shown.
I do not like this idea much, I think it should be all or nothing, I
prefer to not do this.
However I like the idea of temporary caching inside find commands, where
each memberof DN is resolved just once and results are cached in a map
and reused in current context of command. This should be improvement
mainly for indirect searches, but cache should be faster for direct
members than doing internal calls of framework objects. This part is
backward compatible, the first part is not.
https://fedorahosted.org/freeipa/ticket/5282
commands: user-find, stageuser-find, possibly all find commands
3)
Remove userPassword, krbPrincipalKey from search results
This change is not backward compatible, can we do this?
https://fedorahosted.org/freeipa/ticket/5281
commands: user-find
Martin^2
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code