From 04627b72d6d6cbf3a9dadc614a532505e31957f5 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspacek@redhat.com>
Date: Thu, 23 Jan 2014 12:22:38 +0100
Subject: Limit memberOf and refInt DS plugins to main IPA suffix.

This drastically improves performance of retro changelog trimming.

https://fedorahosted.org/freeipa/ticket/3967
---
 freeipa.spec.in                    |  6 +++---
 install/updates/20-syncrepl.update | 13 ++++++++++++-
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 3b0ecefd6..f4e22831d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -21,7 +21,7 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.1.3
+BuildRequires:  389-ds-base-devel >= 1.3.2.10
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
 BuildRequires:  systemd-units
@@ -97,7 +97,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.1.3
+Requires: 389-ds-base >= 1.3.2.10
 Requires: openldap-clients > 2.4.35-4
 %if 0%{?fedora} == 18
 Requires: nss >= 3.14.3-2
@@ -153,7 +153,7 @@ Requires: zip
 Requires: policycoreutils >= %{POLICYCOREUTILSVER}
 Requires: tar
 Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.1.3
+Requires(pre): 389-ds-base >= 1.3.2.10
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 
diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
index c4158a163..e1184bf48 100644
--- a/install/updates/20-syncrepl.update
+++ b/install/updates/20-syncrepl.update
@@ -1,9 +1,20 @@
-# Enable Retro changelog
+# Enable Retro changelog - it is necessary for SyncRepl
 dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
 only:nsslapd-pluginEnabled: on
+# Remember original nsuniqueid for objects referenced from cn=changelog
 add:nsslapd-attribute: nsuniqueid:targetUniqueId
 add:nsslapd-changelogmaxage: 2d
 
+# Keep memberOf and referential integrity plugins away from cn=changelog.
+# It is necessary for performance reasons because we don't have appropriate
+# indices for cn=changelog.
+dn: cn=MemberOf Plugin,cn=plugins,cn=config
+add:memberofentryscope: '$SUFFIX'
+
+dn: cn=referential integrity postoperation,cn=plugins,cn=config
+add:nsslapd-plugincontainerscope: '$SUFFIX'
+add:nsslapd-pluginentryscope: '$SUFFIX'
+
 # Enable SyncRepl
 dn: cn=Content Synchronization,cn=plugins,cn=config
 only:nsslapd-pluginEnabled: on
-- 
cgit