FreeIPA has two files that deal with database indices
install/share/indices.ldif
install/updates/20-indices.update
Any index that is defined only in 20-indices.update or modified in 20-indices.update impacts installation process in two ways
20-indices.update
I assume that it would be more efficient and faster to keep the files in sync so that 20-indices.update does not create any index tasks for ipa-server-install and ipa-replica-install. This may reduce installation time of a large replica, too.
ipa-server-install
ipa-replica-install
https://pagure.io/freeipa/issue/8491
Perhaps it makes sense to get rid of indices.ldif and define the indices just in the update file? Update LDIF files works as soon as root autobind is configured. PR https://github.com/freeipa/freeipa/pull/5102 adds a convenient wrapper to apply update LDIF files.
indices.ldif
Script to dump all indices in ULDIF format:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
#!/usr/bin/python3 import operator from ipapython.dn import DN from ipalib import api INDEX_DN = DN("cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config") INDEX_FILTER = "(objectClass=nsIndex)" DEFAULT_ATTRS = ["cn", "objectClass", "nsSystemIndex"] ADD_ATTRS = ["nsIndexType" "nsMatchingRule"] def main(): api.bootstrap(in_server=True) api.finalize() ldap2 = api.Backend.ldap2 ldap2.connect() entries, truncated = ldap2.find_entries( filter=INDEX_FILTER, base_dn=INDEX_DN, attrs_list=["*"] ) for entry in sorted(entries, key=operator.attrgetter("dn")): if entry.single_value['nsSystemIndex'] == 'true': continue print(f"dn: {entry.dn}") for name in DEFAULT_ATTRS: for value in sorted(entry.get(name, ())): print(f"default: {name}: {value}") for name in ADD_ATTRS: for value in sorted(entry.get(name, ())): print(f"only: {name}: {value}") if entry.single_value["cn"] == "ipaAnchorUUID": print("# see https://pagure.io/freeipa/issue/6975") print("remove: cn: ipaOriginalUid") print() if __name__ == "__main__": main()
Initial LDIF + update LDIF define a total of 62 unique indices. None of the indices is flagged as system index.
$ grep -h 'cn=index' install/updates/20-indices.update install/updates/20-winsync_index.update install/updates/20-idoverride_index.update install/share/indices.ldif | sort | uniq dn: cn=accessRuleType,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=altSecurityIdentities,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=automountMapName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=carLicense,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=description,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config dn: cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=hostCategory,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=idnsName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipaallowedtarget,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipaassignedidview,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipaCertmapData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipaConfigString,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipaEnabledFlag,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipaKrbAuthzData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipalocation,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipaMemberCa,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipaMemberCertProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipaNTSecurityIdentifier,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipaNTTrustPartner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipaOriginalUid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipatokenradiusconfiglink,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ipServicePort,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=krbCanonicalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=krbPasswordExpiration,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=l,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config dn: cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=member,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=memberManager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=memberof,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=memberuid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=nsHardwarePlatform,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config dn: cn=nsHostLocation,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config dn: cn=nsOsVersion,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=owner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=seealso,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=serverhostname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=title,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=uid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=uniquemember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=userCertificate,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5157
master:
ipa-4-8:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field changelog adjusted to Configuration of LDAP indices was moved into a single place. New indices were added to attributes related to trusted domains operations. Performance improvement is expected for Kerberos service tickets requested by users from trusted Active Directory domains.
Indices backported to ipa-4-6: ipa-4-6:
Login to comment on this ticket.