diff options
author | Petr Vobornik <pvoborni@redhat.com> | 2015-03-31 10:59:37 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-04-27 05:55:04 +0000 |
commit | 4364ac08c538e3a4253804f523707092b34c2ed2 (patch) | |
tree | 4340e638bf293fe20bf2e680ad050aef97a7edc9 /ipaserver | |
parent | 4a5f5b14c3159e3517b2bfefc3e89f16cebe9d4b (diff) | |
download | freeipa-4364ac08c538e3a4253804f523707092b34c2ed2.tar.gz freeipa-4364ac08c538e3a4253804f523707092b34c2ed2.tar.xz freeipa-4364ac08c538e3a4253804f523707092b34c2ed2.zip |
speed up indirect member processing
the old implementation tried to get all entries which are member of group.
That means also user. User can't have any members therefore this costly
processing was unnecessary.
New implementation reduces the search only to entries which have members.
Also page size was removed to avoid paging by small pages(default size: 100)
which is very slow for many members.
https://fedorahosted.org/freeipa/ticket/4947
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/plugins/ldap2.py | 90 |
1 files changed, 0 insertions, 90 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 15e07f27b..d1d966c59 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -220,102 +220,12 @@ class ldap2(LDAPClient, CrudBackend): if size_limit is None: size_limit = _get_limits()['size'] - has_memberindirect = False - has_memberofindirect = False - if attrs_list: - new_attrs_list = [] - for attr_name in attrs_list: - if attr_name == 'memberindirect': - has_memberindirect = True - elif attr_name == 'memberofindirect': - has_memberofindirect = True - else: - new_attrs_list.append(attr_name) - attrs_list = new_attrs_list - res, truncated = super(ldap2, self).find_entries( filter=filter, attrs_list=attrs_list, base_dn=base_dn, scope=scope, time_limit=time_limit, size_limit=size_limit, search_refs=search_refs, paged_search=paged_search) - - if has_memberindirect or has_memberofindirect: - - # For the memberof searches, we want to apply the global limit - # if it's larger than the requested one, so decreasing limits on - # the individual query only affects the query itself. - # See https://fedorahosted.org/freeipa/ticket/4398 - def _max_with_none(a, b): - """Maximum of a and b, treating None as infinity""" - if a is None or b is None: - return None - else: - return max(a, b) - time_limit = _max_with_none(time_limit, _get_limits()['time']) - size_limit = _max_with_none(size_limit, _get_limits()['size']) - - for entry in res: - if has_memberindirect: - self._process_memberindirect( - entry, time_limit=time_limit, size_limit=size_limit) - if has_memberofindirect: - self._process_memberofindirect( - entry, time_limit=time_limit, size_limit=size_limit) - return (res, truncated) - def _process_memberindirect(self, group_entry, time_limit=None, - size_limit=None): - filter = self.make_filter({'memberof': group_entry.dn}) - try: - result, truncated = self.find_entries( - base_dn=self.api.env.basedn, - filter=filter, - attrs_list=['member'], - time_limit=time_limit, - size_limit=size_limit, - paged_search=True) - if truncated: - raise errors.LimitsExceeded() - except errors.NotFound: - result = [] - - indirect = set() - for entry in result: - indirect.update(entry.get('member', [])) - indirect.difference_update(group_entry.get('member', [])) - - if indirect: - group_entry['memberindirect'] = list(indirect) - - def _process_memberofindirect(self, entry, time_limit=None, - size_limit=None): - dn = entry.dn - filter = self.make_filter( - {'member': dn, 'memberuser': dn, 'memberhost': dn}) - try: - result, truncated = self.find_entries( - base_dn=self.api.env.basedn, - filter=filter, - attrs_list=[''], - time_limit=time_limit, - size_limit=size_limit) - if truncated: - raise errors.LimitsExceeded() - except errors.NotFound: - result = [] - - direct = set() - indirect = set(entry.get('memberof', [])) - for group_entry in result: - dn = group_entry.dn - if dn in indirect: - indirect.remove(dn) - direct.add(dn) - - entry['memberof'] = list(direct) - if indirect: - entry['memberofindirect'] = list(indirect) - config_defaults = {'ipasearchtimelimit': [2], 'ipasearchrecordslimit': [0]} def get_ipa_config(self, attrs_list=None): """Returns the IPA configuration entry (dn, entry_attrs).""" |