[PATCH] pdb_ldap: Use lp_ldap_group_suffix
abartlet at samba.org
Mon Jul 9 17:06:40 MDT 2012
On Mon, 2012-07-09 at 23:20 +0200, Michael Adam wrote:
> Hi Christof,
> Christof Schmitt wrote:
> > The current code in pdb_ldap uses the generic ldap_suffix for all
> > queries on the LDAP server. With this approach, the LDAP server
> > has to look at all user, machine and group records for all
> > queries. The attached patch changes the group queries to use the
> > lp_ldap_group_suffix instead.
> > I tried to also do the same for user and machine records, but
> > user and machine records can use different suffixes and there is
> > no easy way to distinguish between them. Querying both suffixes,
> > user and machine, would defeat the goal of reducing the load on
> > the LDAP server, so this patch only uses the group suffix.
> Well, this is essentially the revert of
> "Fix bug #6431 - local groups from 3.0 setups no longer found."
> (Search for groups without group suffix, group suffix is only
> used for new entries.)
> So we can't simply revert that if we still want to
> support older installations.
> We could force the use of some form of "upgrade-provision" for
> older installations.
> Or we could add another option that triggers this use of the
> group suffix.
> More options? What do others think?
Given that the original problem is performance, I think that changing
the behaviour for everyone is the wrong approach. Indeed, I'm quite
surprised that this makes any performance difference at all (it would
not on Samba4's LDAP server design).
If these queries do not hit unique indexes in the DB, then unique
indexes should be created until all these queries (except enumerations,
which should at least hit a multiple match index on objectclass, equal
in performance to a subtree search) are fast.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical