[Freeipa-devel] [PATCH] 22 Add memberHost and memberUser to default indexes
Dmitri Pal
dpal at redhat.com
Fri Apr 1 19:54:39 UTC 2011
On 04/01/2011 02:06 PM, Rich Megginson wrote:
> On 04/01/2011 11:26 AM, Rob Crittenden wrote:
>> JR Aquino wrote:
>>> On Mar 30, 2011, at 1:16 PM, JR Aquino wrote:
>>>
>>>> The plugin architecture makes a great deal of calls to search for
>>>> memberUser and memberHost. These attributes are missing from the
>>>> index and are greatly slowing down the CLI and WebUI.
>>>>
>>>> They should be added as Equality Indexes, as the searches that are
>>>> performed are meant for enumeration after the exact value is known.
>>>>
>>>> <freeipa-jraquino-0022-Add-memberHost-and-memberUser-to-default-indexes.patch>_______________________________________________
>>>>
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>
>>> Missed some trailing whitespace.
>>>
>>> Corrected patch attached.
>>
>> After loading this the 389-ds error logs spit out:
>>
>> [01/Apr/2011:13:26:01 -0400] - The attribute [memberHost] does not
>> have a valid ORDERING matching rule - error 2:s
>> [01/Apr/2011:13:26:01 -0400] - The attribute [memberUser] does not
>> have a valid ORDERING matching rule - error 2:s
> Looking at the schema in 60basev2.ldif - it looks as though there are
> many attributes that do not have an ORDERING matching rule specified
> correctly:
> attributeTypes: (2.16.840.1.113730.3.8.3.5 NAME 'memberUser' DESC
> 'Reference to a principal that performs an action (usually user).' SUP
> distinguishedName EQUALITY distinguishedNameMatch ORDERING
> distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
> attributeTypes: (2.16.840.1.113730.3.8.3.7 NAME 'memberHost' DESC
> 'Reference to a device where the operation takes place (usually
> host).' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING
> distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
>
> 1.3.6.1.4.1.1466.115.121.1.12 is DN syntax - there is no ORDERING
> matching rule for DN syntax - is there some reason you want to be able
> to do range searches on DN values?
>
I thought that ordering is used for the sorting. If you sort things by
an attribute.
I suspect that there are cases when it makes sense to sort the result
set by DN.
I think HBAC is one of those. But if ordering is not something that
should be used in this case then what shoud?
> attributeTypes: (2.16.840.1.113730.3.8.3.8 NAME 'hostCategory' DESC
> 'Additional classification for hosts' EQUALITY caseIgnoreMatch
> ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
>
> This should be ORDERING caseIgnoreOrderingMatch - looks like there may
> be more of these too.
This is probably an artifact of me defineing the schema 2 years ago.
Can you please file a BZ and a ticket.
IMO we should fix the schema inconsistencies ASAP.
Please review the rest of the defined attributes and make sure there are
no problems like this.
>>
>> rob
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list