From 03c8a34cb3b7a635e5a853c648cafe5ea9f9a126 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 5 Oct 2011 10:37:05 -0400
Subject: When calculating indirect membership don't test nesting on users and
 hosts.

Members are dereferenced when calculating indirect membership. We don't
need to check hosts and users for members.

This significantly reduces the number of queries required for large groups.

https://fedorahosted.org/freeipa/ticket/1885
---
 ipaserver/plugins/ldap2.py | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'ipaserver/plugins')

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index b12403b93..fddfe0f5a 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -42,6 +42,7 @@ import ldap.sasl as _ldap_sasl
 from ldap.controls import LDAPControl
 # for backward compatibility
 from ldap.functions import explode_dn
+from ipalib.dn import DN
 
 import krbV
 
@@ -987,6 +988,13 @@ class ldap2(CrudBackend, Encoder):
         if membertype == MEMBERS_ALL or membertype == MEMBERS_INDIRECT:
             checkmembers = copy.deepcopy(members)
             for member in checkmembers:
+                # No need to check entry types that are not nested for
+                # additional members
+                dn = DN(member)
+                if dn.endswith(DN(api.env.container_user, api.env.basedn)) or \
+                   dn.endswith(DN(api.env.container_host, api.env.basedn)):
+                        results.append([member, {}])
+                        continue
                 try:
                     (result, truncated) = self.find_entries(searchfilter,
                         attr_list, member, time_limit=time_limit,
-- 
cgit