4:58 a.m.
On 09/09/14 09:59, Jakub Hrozek wrote:
On Mon, Sep 08, 2014 at 10:03:10PM +0000, Nordgren, Bryce L -FS
wrote:
> ls -l is very slow, as is "getfacl".
>
> Is there any reason that a call to getpwuid(10008) should produce an ldap query
filter like this?:
>
>
(&(uidNumber=10008)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))
>
> Clearly, if uidNumber=10008, it is both present and not zero so the last two terms
are moot. At best, a smart ldap server will optimize this out and only waste the time it
takes to parse the filter. At worst, it goes and performs all three checks independently.
>
> Also, my ldap setup is proxying "uid" defined in two remote ADs and
FreeIPA, optionally overriding the uid value locally to resolve conflicts. Adding (uid=*)
essentially translates to "send me information on every account in your system, so I
can then combine your remote result with the rest of the query", which is causing
size limit errors and/or timeouts. (objectClass=posixAccount) would cause the same issues,
except none of the entries in AD are posixAccounts. FreeIPA will probably observe exactly
the same phenomenon when they implement views.
>
> Is there any way for me to control this ldap query, hopefully knocking it down to
(&(uidNumber=10008)(objectClass=posixAccount)), requesting attribute uid?
>
> Thanks,
> Bryce
Are you sure it would help in your environment? Did you check that
searching with:
(&(uidNumber=10008)(objectClass=posixAccount))
is faster than:
(&(uidNumber=10008)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))
Please note I'm not dismissing the optimization, I'm just a bit
surprised that this would make any difference..
As per why we construct the filter like this..we first take a base
filter. Here is a simple pseudocode:
if using_posix_ids:
# Base filter makes sure there is a posix attribute
base_filter =
(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))
else if id_mapping
# Base filter makes sure there is a SID to map the ID from
base_filter = (objectclass=posixAccount)(sid=*)
if searching_by_name:
specific_filter = (cn=$key)
else if searching_by_id:
specific_filter = (uidNumber=$key)
filter = AND(base_filter, specific_filter)
This way, even when searching a POSIX user by name, we make sure this
user has an ID.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Can I jump in here and
point out the base filter will never work against
a windows AD server, windows AD does not use the posixAccount
objectclass directly, it is an auxiliary class of 'User' and as such
never appears but its attributes do.
Rowland