Ticket #47504 idlistscanlimit per index/type/value
https://fedorahosted.org/389/ticket/47504
Reviewed by: nhosoi (Thanks!)
Branch: 389-ds-base-1.3.0
Fix Description: Added a new attribute nsIndexIDListScanLimit to nsIndex
nsIndexIDListScanLimit: limit=NNN [type=eq[,sub,...]] [flags=ADD[,XXX..]] [values=val[,val...]]
* The limit is the idlistscanlimit to apply. The value can be -1 (unlimited), 0
(do not use the index at all), or a number to use for the idlistscanlimit.
* The type is a comma-delimited list of index types (eq,sub,etc.) to which the
limit applies. The index type must be one of the index types configured for the index (you can't configure an id list for type=sub if you do not already have
a substring index configured for the attribute).
* The flags are a comma-delimited list of additional criteria which must match.
** flags ADD - only apply the limit when the index is used in an AND (&) filter
The values are a comma-delimited list of values which must match in the search
filter in order for the limit to be applied. Since the matches are done one
at a time (we evaluate one filter component at a time), the values will match
if any of the values match.
* The values must be used with only one type at a time. If values are specified,
type must be specified, and type must be a type that deals with values, such
as eq or sub. There must be only one type specified - you can't specify values
if you use type=eq,pres or otherwise specify more than one type. The values
must correspond to the index type (eq, sub), and must correspond to the syntax
of the attribute to which the index is applied - that is, if you have
attribute uidNumber (integer) and it is indexed for eq, you can't specify
type=eq values=abc because "abc" is not integer syntax.
If the values contain spaces, commas, nulls, other values which require
escapes, the LDAP filter escape syntax should be used - backslash '\' followed
by the 2 hex digit code for the character.
The values are processed as if they were filter values - so for "sub" values,
values like "values=*sm*ith*" will be processed as if they were values in a
substring search filter like (sn=*sm*ith*)
* nsIndexIDListScanLimit is multi-valued. If a search matches more than one
nsIndexIDListScanLimit, the rules are applied in priority order.
The priority is as follows, from highest to lowest:
* * match type, flags, value
* * match type, value
* * match type, flags
* * match type
* * match flags
* For example, if you have
* dn: cn=objectclass,...
* objectclass: nsIndex
* nsIndexType: eq
* nsIndexIDListScanLimit: limit=0 type=eq flags=AND value=inetOrgPerson
* nsIndexIDListScanLimit: limit=1 type=eq value=inetOrgPerson
* nsIndexIDListScanLimit: limit=2 type=eq flags=AND
* nsIndexIDListScanLimit: limit=3 type=eq
* nsIndexIDListScanLimit: limit=4 flags=AND
* nsIndexIDListScanLimit: limit=5
* If the search filter is (&(objectclass=inetOrgPerson)(uid=foo)) then the limit=0 because all
* 3 of type, flags, and value match
* If the search filter is (objectclass=inetOrgPerson) then the limit=1 because type and value match
* but flag does not
* If the search filter is (&(objectclass=posixAccount)(uid=foo)) the the limit=2 because type and
* flags match
* If the search filter is (objectclass=posixAccount) then the limit=3 because only the type matches
* If the search filter is (&(objectclass=*account*)(objectclass=*)) then the limit=4 because only
* flags match but not the types (sub and pres)
* If the search filter is (objectclass=*account*) then the limit=5 because only the attribute matches
* but none of flags, type, or value matches
To add in testing/debugging, the LDAP_DEBUG_BACKLDBM log level is used to
print information about searches which exceed the idlistscanlimit.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: yes - document new attribute
(cherry picked from commit 824b3019beffa5bf2bc5ab2a2a3e579d50833577)
(cherry picked from commit b348886030318cd43855ae439ec3f30f898b8cd4)
rmeggins
10 years ago