#5281 3 unnecessary search operations for each user in user-find
Closed: Fixed None Opened 6 years ago by pvoborni.

User find-fin performs for each user:

self.obj.get_password_attributes(ldap, dn, entry_attrs)
convert_sshpubkey_post(ldap, dn, entry_attrs)

It results in for each user:

[02/Sep/2015:18:52:07 +0200] conn=7481 op=7 SRCH base="uid=admin,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=0 filter="(userPassword=*)" attrs="userPassword"
[02/Sep/2015:18:52:07 +0200] conn=7481 op=7 RESULT err=0 tag=101 nentries=1 etime=0
[02/Sep/2015:18:52:07 +0200] conn=7481 op=8 SRCH base="cn=ipaconfig,cn=etc,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[02/Sep/2015:18:52:07 +0200] conn=7481 op=8 RESULT err=0 tag=101 nentries=1 etime=0
[02/Sep/2015:18:52:07 +0200] conn=7481 op=9 SRCH base="uid=admin,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=0 filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"
[02/Sep/2015:18:52:07 +0200] conn=7481 op=9 RESULT err=0 tag=101 nentries=1 etime=0
[02/Sep/2015:18:52:07 +0200] conn=7481 op=10 SRCH base="cn=ipaconfig,cn=etc,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[02/Sep/2015:18:52:07 +0200] conn=7481 op=10 RESULT err=0 tag=101 nentries=1 etime=0
[02/Sep/2015:18:52:07 +0200] conn=7481 op=11 SRCH base="uid=admin,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaSshPubKey"

If somebody increases a search size limit to e.g. 1000. It can lead to unnecessary 3000 searches.

Either add: userPassword, krbPrincipalKey, ipaSshPubKey to search attr list or don't do operations listed above.


the second operation is also track in #3376

It is not possible to add userPassword, krbPrincipalKey to search attribute list because they are derived by doing presence check search.

ipaSshPubKey is ticket #3376

master:

  • fe2ce02 Performace: don't download password attributes in host/user-find

master:

  • b87a825 fix stageuser tests (removal of has_keytab and has_password from find)

Metadata Update from @pvoborni:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.4

5 years ago

Login to comment on this ticket.

Metadata