member/memberOf and samldb.c
Simo Sorce
idra at samba.org
Mon Aug 29 07:18:55 GMT 2005
On Mon, 2005-08-29 at 11:53 +1000, tridge at samba.org wrote:
> Luke,
>
> Thanks for the pointer!
>
> > Objects should be linked using a persistent identifier such as GUID
> > to avoid these referential integrity issues -- some of them are very
> > tricky to do after the fact.
>
> that could be a bit tricky for us, though I can see the advantages of
> using a GUID or similar unique token.
>
> At the moment the index records in the ldb_tdb backend point to
> DNs. So the index record for 'member=foo' contains a list of DNs of
> records that have member=foo.
>
> If we changed the indexing to instead contain lists of GUIDs, and used
> GUIDs to link the member and memberOf fields then I can't see how we
> would avoid loading O(N) records to dynamically generate the memberOf
> attribute when someone wants to lookup a user record (where 'N' is the
> number of groups the user is a member of). This is because we'd have
> to do this:
>
> 1) load the index record for member=foo, giving a list of GUIDs
>
> 2) load the records associated with each of those GUIDs, retrieving
> the DN attribute
>
> 3) form the list of memberOf values for the user from the DNs
> returned in step (2)
>
> If a user is a member of just a few groups then this would be OK, but
> if a user is a member of hundreds of groups then this would get really
> bad.
>
> If we stick to using DNs for the indexing then we can skip step (2),
> which means loading just 2 records from the database no matter how
> many groups the user is a member of.
I'd go down this route, and we just need to have an ldb module that
takes care of deleting any reference to a deleted object.
> The downside as you point out is that we need to be very careful to
> completely remove any links to DNs when a DN becomes invalid (due to a
> delete or rename). We should be able to do that safely in a ldb module
> as write operations in ldb modules happen with the database locked, so
> nobody can sneak in and use the db while we are in an inconsistent
> state. The code will need to be very careful though.
exactly.
Simo.
--
Simo Sorce - idra at samba.org
Samba Team - http://www.samba.org
Italian Site - http://samba.xsec.it
More information about the samba-technical
mailing list