On Tue, Sep 09, 2014 at 10:58:54AM +0100, Rowland Penny wrote:
On 09/09/14 09:59, Jakub Hrozek wrote:
>On Mon, Sep 08, 2014 at 10:03:10PM +0000, Nordgren, Bryce L -FS wrote:
>>ls -l is very slow, as is "getfacl".
>>
>>Is there any reason that a call to getpwuid(10008) should produce an ldap query
filter like this?:
>>
>>(&(uidNumber=10008)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))
>>
>>Clearly, if uidNumber=10008, it is both present and not zero so the last two
terms are moot. At best, a smart ldap server will optimize this out and only waste the
time it takes to parse the filter. At worst, it goes and performs all three checks
independently.
>>
>>Also, my ldap setup is proxying "uid" defined in two remote ADs and
FreeIPA, optionally overriding the uid value locally to resolve conflicts. Adding (uid=*)
essentially translates to "send me information on every account in your system, so I
can then combine your remote result with the rest of the query", which is causing
size limit errors and/or timeouts. (objectClass=posixAccount) would cause the same issues,
except none of the entries in AD are posixAccounts. FreeIPA will probably observe exactly
the same phenomenon when they implement views.
>>
>>Is there any way for me to control this ldap query, hopefully knocking it down to
(&(uidNumber=10008)(objectClass=posixAccount)), requesting attribute uid?
>>
>>Thanks,
>>Bryce
>Are you sure it would help in your environment? Did you check that
>searching with:
> (&(uidNumber=10008)(objectClass=posixAccount))
>is faster than:
>
(&(uidNumber=10008)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))
>
>Please note I'm not dismissing the optimization, I'm just a bit
>surprised that this would make any difference..
>
>As per why we construct the filter like this..we first take a base
>filter. Here is a simple pseudocode:
> if using_posix_ids:
> # Base filter makes sure there is a posix attribute
> base_filter =
(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))
> else if id_mapping
> # Base filter makes sure there is a SID to map the ID from
> base_filter = (objectclass=posixAccount)(sid=*)
>
> if searching_by_name:
> specific_filter = (cn=$key)
> else if searching_by_id:
> specific_filter = (uidNumber=$key)
>
> filter = AND(base_filter, specific_filter)
>
>This way, even when searching a POSIX user by name, we make sure this
>user has an ID.
>_______________________________________________
>sssd-users mailing list
>sssd-users(a)lists.fedorahosted.org
>https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Can I jump in here and point out the base filter will never work against a
windows AD server, windows AD does not use the posixAccount objectclass
directly, it is an auxiliary class of 'User' and as such never appears but
its attributes do.
Well, we do use different objectclasses for different back ends. For AD
we use 'group'.