On Fri, Nov 26, 2010 at 06:49:33PM -0500, Simo Sorce wrote:
This set of patches allows SSSD to use the more reliable entryUSN
against FreeIPA (and USNchanged against AD) when performing
enumerations.
If entryUSN(USNchanged) is not detected as available by checking rootdse
for lastUSN(highestCommittedUSN) then we fall back to use
modifyTimestamp which is fine in non-multimaster setups.
This set comprises 4 patches.
1. pass sdap_id_ctx to sdap_id_op functions (needed later).
2. cleanup unused vars and functions about rootdse to avoid confusion
3. add connection checks to test if USNs are available.
4. Change the code around to use the best USN method available and
fallback to the previous modifyTimestamp if not.
These pacthes have been briefly tested against a FreeIPA server with
the entryUSN configuration patch (still unpushed upstream) and all seem
to working fine.
I agree with the patches, but I would like to ask to rename
max_user_value and max_group_value to something like max_user_usn and
max_group_usn, because I find the original names very missleading.
Maybe it is easier for the LDAP server to optimize a search filter with
(!(%s<=%s)) instead of (%s>=%s)(!(%s=%s)) ?
OpenLDAP users might be happy if sssd would be able to autodetect
OpenLDAP and use entryCSN. Do you think check for the OpenLDAProotDSE
objectclass would be sufficient here?
bye,
Sumit
Simo.
--
Simo Sorce * Red Hat, Inc * New York