[Freeipa-devel] [PATCH] Enable filtering search results by member attributes.

Adam Young ayoung at redhat.com
Mon Dec 20 17:29:55 UTC 2010 

On 12/20/2010 11:20 AM, Jan Zelený wrote:
> Pavel Zuna<pzuna at redhat.com>  wrote:
>    
>> On 12/08/2010 08:30 PM, Rob Crittenden wrote:
>>      
>>> Pavel Zůna wrote:
>>>        
>>>> On 2010-11-30 04:06, Rob Crittenden wrote:
>>>>          
>>>>> Pavel Zůna wrote:
>>>>>            
>>>>>> LDAPSearch base class has now the ability to generate additional
>>>>>> options for objects with member attributes. These options are
>>>>>> used to filter search results - search only for objects without
>>>>>> the specified members.
>>>>>>
>>>>>> Any class that extends LDAPSearch can benefit from this functionality.
>>>>>> This patch enables it for the following objects:
>>>>>> group, netgroup, rolegroup, hostgroup, taskgroup
>>>>>>
>>>>>> Example:
>>>>>> ipa group-find --no-users=admin
>>>>>>
>>>>>> Only direct members are taken into account, but if we need indirect
>>>>>> members as well - it's not a problem.
>>>>>>
>>>>>> Ticket #288
>>>>>>
>>>>>> Pavel
>>>>>>              
>>>>> This works as advertised but I wonder what would happen if a huge list
>>>>> of members was passed in to ignore. Is there a limit on the search
>>>>> filter size (remember that the member will be translated into a full dn
>>>>> so will quickly grow in size).
>>>>>
>>>>> Should we impose a cofigurable limit on the # of members to be
>>>>> excluded?
>>>>>
>>>>> Is there a max search filter size and should we check that we haven't
>>>>> exceeded that before doing a search?
>>>>>
>>>>> rob
>>>>>            
>>>> I tried it out with more than a 1000 users and was getting an unwilling
>>>> to perform error (search filter nested too deep).
>>>>
>>>> After a little bit of investigation, I figured the filter was being
>>>> generated like this:
>>>>
>>>> (&(&(!(a=v))(!(a2=v2))))
>>>>
>>>> We were going deeper with each additional DN!
>>>>
>>>> I updated the patch to generate the filter like this instead:
>>>>
>>>> (!(|(a=v)(a2=v2)))
>>>>
>>>> Tried it again with more than 1000 users (~55Kb) - it worked and wasn't
>>>> even slow.
>>>>
>>>> Updated patch attached.
>>>>
>>>> I also had to fix a bug in ldap2 filter generator, as a result this
>>>> patch depends on my patch number 43.
>>>>
>>>> Pavel
>>>>          
>>> You'll need to rebase this against master but otherwise ACK.
>>>
>>> It might be a small optimization to de-dupe the no-users list but it
>>> isn't a priority.
>>>
>>> rob
>>>        
>> Re-based patch attached.
>>
>> Pavel
>>      
>
> This hasn't been already pushed and the patch still applies against master.
> Can someone push it so the ticket can be closed?
>
> Jan
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK, pushed to master

More information about the Freeipa-devel mailing list