weixin_39538687
weixin_39538687
2020-12-28 10:26

Use single update LDIF for indices and add more indices

Use single update LDIF for indices

Index definitions were split across four files. indices.ldif contained the initial subset of indices. Three update files partly duplicated the indices and partly added new indices.

All indices are now defined in a single update file that is sorted alphanumerically.

The changeset avoids two additional index tasks and reduces installation time by 5 to 10 seconds.

Add more indices

ipaCASubjectDN is used by lightweight sub CA feature.

ipaExternalMember is used by KRB driver to assemble MS-PAC records.

ipaNTSecurityIdentifier was only index for "pres" and was missing an index on "eq". Samba and ipasam perform queries with SID string.

memberPrincipal is used by S4U2Proxy constrained delegation and by ipa-custodia.

Also note that dnaHostname, ipServiceProtocol, ipaCertSubject, and ipaKeyUsage are currently not index because an index would rarely used or have a poor selectivity.

Fixes: https://pagure.io/freeipa/issue/8493

该提问来源于开源项目:freeipa/freeipa

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

8条回答

  • weixin_39538687 weixin_39538687 4月前

    fedora-latest/test_acme — RunPytest timed out after 3600s

    点赞 评论 复制链接分享
  • weixin_39857153 weixin_39857153 4月前

    LGTM.

    点赞 评论 复制链接分享
  • weixin_39857153 weixin_39857153 4月前

    Ack from me. I think it should be backported to ipa-4-8 and may be to ipa-4-6 branches.

    点赞 评论 复制链接分享
  • weixin_39857153 weixin_39857153 4月前

    For the record, here is the difference in indices between 4.8.9 in Fedora 32 and this PR:

    
    --- indices-current.ldif    2020-09-28 14:13:14.610368145 +0000
    +++ indices-new.ldif    2020-09-28 14:13:21.990331394 +0000
    @@ -187,6 +187,15 @@
     objectClass: top
     objectClass: nsIndex
    
    +# ipaCASubjectDN, index, userRoot, ldbm database, plugins, config
    +dn: cn=ipaCASubjectDN,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=conf
    + ig
    +objectClass: nsIndex
    +objectClass: top
    +nsSystemIndex: false
    +cn: ipaCASubjectDN
    +nsIndexType: eq
    +
     # ipaCertmapData, index, userRoot, ldbm database, plugins, config
     dn: cn=ipaCertmapData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=conf
      ig
    @@ -214,6 +223,15 @@
     objectClass: top
     objectClass: nsIndex
    
    +# ipaExternalMember, index, userRoot, ldbm database, plugins, config
    +dn: cn=ipaExternalMember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=c
    + onfig
    +objectClass: nsIndex
    +objectClass: top
    +nsSystemIndex: false
    +cn: ipaExternalMember
    +nsIndexType: eq
    +
     # ipaKrbAuthzData, index, userRoot, ldbm database, plugins, config
     dn: cn=ipaKrbAuthzData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=con
      fig
    @@ -263,6 +281,25 @@
     objectClass: top
     objectClass: nsIndex
    
    +# ipaNTSecurityIdentifier, index, userRoot, ldbm database, plugins, config
    +dn: cn=ipaNTSecurityIdentifier,cn=index,cn=userRoot,cn=ldbm database,cn=plugin
    + s,cn=config
    +objectClass: top
    +objectClass: nsIndex
    +nsSystemIndex: false
    +cn: ipaNTSecurityIdentifier
    +nsIndexType: eq
    +nsIndexType: pres
    +
    +# ipaNTTrustPartner, index, userRoot, ldbm database, plugins, config
    +dn: cn=ipaNTTrustPartner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=c
    + onfig
    +objectClass: top
    +objectClass: nsIndex
    +nsSystemIndex: false
    +cn: ipaNTTrustPartner
    +nsIndexType: pres
    +
     # ipaOriginalUid, index, userRoot, ldbm database, plugins, config
     dn: cn=ipaOriginalUid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=conf
      ig
    @@ -438,6 +475,8 @@
     nsSystemIndex: false
     objectClass: top
     objectClass: nsIndex
    +nsMatchingRule: caseIgnoreIA5Match
    +nsMatchingRule: caseExactIA5Match
    
     # memberdenycmd, index, userRoot, ldbm database, plugins, config
     dn: cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=confi
    @@ -478,6 +517,15 @@
     objectClass: top
     objectClass: nsIndex
    
    +# memberPrincipal, index, userRoot, ldbm database, plugins, config
    +dn: cn=memberPrincipal,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=con
    + fig
    +objectClass: nsIndex
    +objectClass: top
    +nsSystemIndex: false
    +cn: memberPrincipal
    +nsIndexType: eq
    +
     # memberservice, index, userRoot, ldbm database, plugins, config
     dn: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=confi
      g
    @@ -655,12 +703,12 @@
    
     # seeAlso, index, userRoot, ldbm database, plugins, config
     dn: cn=seeAlso,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
    -cn: seeAlso
     nsIndexType: eq
     nsIndexType: sub
     nsSystemIndex: false
     objectClass: top
     objectClass: nsIndex
    +cn: seealso
    
     # serverhostname, index, userRoot, ldbm database, plugins, config
     dn: cn=serverhostname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=conf
    @@ -762,5 +810,5 @@
     search: 2
     result: 0 Success
    
    -# numResponses: 81
    -# numEntries: 80
    +# numResponses: 86
    +# numEntries: 85
    

    I don't see anything lost.

    点赞 评论 复制链接分享
  • weixin_39857153 weixin_39857153 4月前

    Removing ACK as Christian noticed there are two excessive matching rules for memberallowcmd which shouldn't be there.

    点赞 评论 复制链接分享
  • weixin_39538687 weixin_39538687 4月前

    Removed nsMatchingRule from memberallowcmd.

    点赞 评论 复制链接分享
  • weixin_39538687 weixin_39538687 4月前

    Backport to 4.8 has to include a backport of PR #5102.

    点赞 评论 复制链接分享
  • weixin_39538687 weixin_39538687 4月前

    master:

    • e46c3792f3419f807864adc1cb36887fe6c9e36c Use single update LDIF for indices
    • 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5 Add more indices
    点赞 评论 复制链接分享

相关推荐