In order to be able to add multiple members to a group at one time on the command-line and be able to report individual results, we end up adding them one at a time in LDAP. We do a lot of extra searches when doing this, searching for the new member once and the group twice for each operation.
This is the set of operations fired off from adding 3 users to a group:
$ ipa group-add-member --users=kfrog,pdawn,tuser1 test1
[22/Aug/2012:12:37:21 -0400] conn=1409 op=3 SRCH base="cn=ipaconfig,cn=etc,dc=greyoak,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [22/Aug/2012:12:37:21 -0400] conn=1409 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [22/Aug/2012:12:37:23 -0400] conn=1409 op=4 SRCH base="uid=kfrog,cn=users,cn=accounts,dc=greyoak,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass" [22/Aug/2012:12:37:23 -0400] conn=1409 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [22/Aug/2012:12:37:23 -0400] conn=1409 op=5 SRCH base="cn=test1,cn=groups,cn=accounts,dc=greyoak,dc=com" scope=0 filter="(objectClass=*)" attrs="member" [22/Aug/2012:12:37:23 -0400] conn=1409 op=5 RESULT err=0 tag=101 nentries=1 etime=0 [22/Aug/2012:12:37:23 -0400] conn=1409 op=6 SRCH base="cn=test1,cn=groups,cn=accounts,dc=greyoak,dc=com" scope=0 filter="(objectClass=*)" attrs="member" [22/Aug/2012:12:37:23 -0400] conn=1409 op=6 RESULT err=0 tag=101 nentries=1 etime=0 [22/Aug/2012:12:37:23 -0400] conn=1409 op=7 SRCH base="uid=pdawn,cn=users,cn=accounts,dc=greyoak,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass" [22/Aug/2012:12:37:23 -0400] conn=1409 op=7 RESULT err=0 tag=101 nentries=1 etime=0 [22/Aug/2012:12:37:23 -0400] conn=1409 op=8 SRCH base="cn=test1,cn=groups,cn=accounts,dc=greyoak,dc=com" scope=0 filter="(objectClass=*)" attrs="member" [22/Aug/2012:12:37:23 -0400] conn=1409 op=8 RESULT err=0 tag=101 nentries=1 etime=0 [22/Aug/2012:12:37:23 -0400] conn=1409 op=9 SRCH base="cn=test1,cn=groups,cn=accounts,dc=greyoak,dc=com" scope=0 filter="(objectClass=*)" attrs="member" [22/Aug/2012:12:37:23 -0400] conn=1409 op=9 RESULT err=0 tag=101 nentries=1 etime=0 [22/Aug/2012:12:37:23 -0400] conn=1409 op=10 SRCH base="uid=tuser1,cn=users,cn=accounts,dc=greyoak,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass" [22/Aug/2012:12:37:23 -0400] conn=1409 op=10 RESULT err=0 tag=101 nentries=1 etime=0 [22/Aug/2012:12:37:23 -0400] conn=1409 op=11 SRCH base="cn=test1,cn=groups,cn=accounts,dc=greyoak,dc=com" scope=0 filter="(objectClass=*)" attrs="member" [22/Aug/2012:12:37:23 -0400] conn=1409 op=11 RESULT err=0 tag=101 nentries=1 etime=0 [22/Aug/2012:12:37:23 -0400] conn=1409 op=12 SRCH base="cn=test1,cn=groups,cn=accounts,dc=greyoak,dc=com" scope=0 filter="(objectClass=*)" attrs="member" [22/Aug/2012:12:37:23 -0400] conn=1409 op=12 RESULT err=0 tag=101 nentries=1 etime=0 [22/Aug/2012:12:37:23 -0400] conn=1409 op=13 SRCH base="cn=test1,cn=groups,cn=accounts,dc=greyoak,dc=com" scope=0 filter="(objectClass=*)" attrs="cn ipaExternalMember memberOf memberofindirect gidNumber member memberindirect description" [22/Aug/2012:12:37:23 -0400] conn=1409 op=13 RESULT err=0 tag=101 nentries=1 etime=0 [22/Aug/2012:12:37:23 -0400] conn=1409 op=14 SRCH base="cn=test1,cn=groups,cn=accounts,dc=greyoak,dc=com" scope=0 filter="(objectClass=*)" attrs="distinguishedName member" [22/Aug/2012:12:37:23 -0400] conn=1409 op=14 RESULT err=0 tag=101 nentries=1 etime=0 [22/Aug/2012:12:37:23 -0400] conn=1409 op=15 UNBIND [22/Aug/2012:12:37:23 -0400] conn=1409 op=15 fd=66 closed - U1
I think we can check for user existence in the group before trying to add so we can report a duplicate without trying the LDAP operation. That would save a bit.
If we already have the group perhaps passing it into ldap2.py will save us a read.
Jan, wasn't this issue fixed in #3971 in 97445b2?
I'm gonna say yes (only one search per user is done now), but I think the case where you add/remove multiple members at once could be optimized more.
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: Future Releases
Login to comment on this ticket.