summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2012-09-25 17:19:44 +0200
committerRob Crittenden <rcritten@redhat.com>2012-10-01 22:38:22 -0400
commit20f182034555fdea736a517d9e6f1f8203ea8b28 (patch)
tree08b174aa61f115acdaf531d7fef7313f0c97618f
parent1f60d17e954d70a39f1022f50ff292ff22a6b00d (diff)
downloadfreeipa.git-20f182034555fdea736a517d9e6f1f8203ea8b28.tar.gz
freeipa.git-20f182034555fdea736a517d9e6f1f8203ea8b28.tar.xz
freeipa.git-20f182034555fdea736a517d9e6f1f8203ea8b28.zip
Do not produce unindexed search on every DEL command
Every <plugin>-del command executes an "(objectclass=*)" search to find out if a deleted node has any child nodes which would need to be deleted first. This produces an unindexed search for every del command which biases access log audits and may affect performance too. Since most of the *-del commands delete just a single object (user, group, RBAC objects, SUDO or HBAC objects, ...) and not a tree (automount location, dns zone, ...) run a single entry delete first and only revert to subtree search&delete when that fails.
Diffstat
-rw-r--r--ipalib/errors.py16
-rw-r--r--ipalib/plugins/baseldap.py8
-rw-r--r--ipaserver/plugins/ldap2.py2
3 files changed, 25 insertions, 1 deletions
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 6a4e2c5d..31fc14ea 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1501,6 +1501,22 @@ class BadSearchFilter(ExecutionError):
format = _('Bad search filter %(info)s')
+class NotAllowedOnNonLeaf(ExecutionError):
+ """
+ **4210** Raised when operation is not allowed on a non-leaf entry
+
+ For example:
+
+ >>> raise NotAllowedOnNonLeaf()
+ Traceback (most recent call last):
+ ...
+ NotAllowedOnNonLeaf: Not allowed on non-leaf entry
+ """
+
+ errno = 4210
+ format = _('Not allowed on non-leaf entry')
+
+
class CertificateError(ExecutionError):
"""
**4300** Base class for Certificate execution errors (*4300 - 4399*).
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 14a46f2d..a55a2324 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1424,7 +1424,13 @@ class LDAPDelete(LDAPMultiQuery):
except errors.NotFound:
self.obj.handle_not_found(*nkeys)
- delete_subtree(dn)
+ try:
+ self._exc_wrapper(nkeys, options, ldap.delete_entry)(dn, normalize=self.obj.normalize_dn)
+ except errors.NotFound:
+ self.obj.handle_not_found(*nkeys)
+ except errors.NotAllowedOnNonLeaf:
+ # this entry is not a leaf entry, delete all child nodes
+ delete_subtree(dn)
for callback in self.get_callbacks('post'):
result = callback(self, ldap, dn, *nkeys, **options)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index a0b91fd5..1a754a55 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -719,6 +719,8 @@ class ldap2(CrudBackend):
raise errors.NotAllowedOnRDN(attr=info)
except _ldap.FILTER_ERROR:
raise errors.BadSearchFilter(info=info)
+ except _ldap.NOT_ALLOWED_ON_NONLEAF:
+ raise errors.NotAllowedOnNonLeaf()
except _ldap.SUCCESS:
pass
except _ldap.LDAPError, e:
generated by cgit (git 2.34.1) at 2024-06-13 05:37:39 +0000