Add more indices

ipaCASubjectDN is used by lightweight sub CA feature. ipaExternalMember is used by KRB driver to assemble MS-PAC records. ipaNTSecurityIdentifier was only index for "pres" and was missing an index on "eq". Samba and ipasam perform queries with SID string. memberPrincipal is used by S4U2Proxy constrained delegation and by ipa-custodia. Also note that dnaHostname, ipServiceProtocol, ipaCertSubject, and ipaKeyUsage are currently not index because an index would rarely used or have a poor selectivity. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
freeipa · Sep 29, 2020 · 9f0ec27 · 9f0ec27
1 parent e46c379
commit 9f0ec27
Showing 1 changed file with 40 additions and 3 deletions.
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
@@ -27,15 +27,30 @@
 #  * uid: eq [IPA: +pres]
 #  * uniqueMember: eq [IPA: +sub]
 #
+#
+# Unindex attributes
+# ------------------
+#
+# Some attributes are currently not indexed because an index would not be
+# rarely used or have a poor selectivity.
+#
+# - dnaHostname: only used by update_dna_shared_config, server_del, and
+#                ipa-replica-install
+# - ipServiceProtocol: not used by SSSD at the moment and has a poor
+#                      selectivity ('tcp' or 'udp')
+# - ipaCertSubject: only queried in update_fix_duplicate_cacrt_in_ldap
+# - ipaKeyUsage: rarely used by ipa-custodia and poor selectivity
+#                ('digitalSignature' or 'dataEncipherment')
+#
+# Update rules
+# ------------
+#
 # - cn uses "only" to avoid bugs like https://pagure.io/freeipa/issue/6975
 # - nsIndexType and nsMatchingRule use "add" to allow users to add
 #   additional index types and matching rules more easily. The "add" command
 #   adds additional attribute values that are required by IPA but does not
 #   remove user defined values.
 #
-# NOTE: There is no index on ipServiceProtocol because the index would have
-# poor selectivity. An ipService entry has either 'tcp' or 'udp' as protocol.
-#
 # Please keep entries in alphanumeric order.
 #
 
@@ -149,6 +164,13 @@ add:nsIndexType: eq
 add:nsIndexType: pres
 add:nsIndexType: sub
 
+dn: cn=ipaCASubjectDN,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:cn: ipaCASubjectDN
+default:objectClass: nsIndex
+default:objectClass: top
+default:nsSystemIndex: false
+add:nsIndexType: eq
+
 dn: cn=ipaCertmapData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 only:cn: ipaCertmapData
 default:objectClass: nsIndex
@@ -170,6 +192,13 @@ default:objectClass: top
 default:nsSystemIndex: false
 add:nsIndexType: eq
 
+dn: cn=ipaExternalMember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:cn: ipaExternalMember
+default:objectClass: nsIndex
+default:objectClass: top
+default:nsSystemIndex: false
+add:nsIndexType: eq
+
 dn: cn=ipaKrbAuthzData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 only:cn: ipaKrbAuthzData
 default:objectClass: nsIndex
@@ -216,6 +245,7 @@ only: cn: ipaNTSecurityIdentifier
 default: objectClass: top
 default: objectClass: nsIndex
 default: nsSystemIndex: false
+add: nsIndexType: eq
 add: nsIndexType: pres
 
 dn: cn=ipaNTTrustPartner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
@@ -377,6 +407,13 @@ default:nsSystemIndex: false
 add:nsIndexType: eq
 add:nsIndexType: pres
 
+dn: cn=memberPrincipal,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:cn: memberPrincipal
+default:objectClass: nsIndex
+default:objectClass: top
+default:nsSystemIndex: false
+add:nsIndexType: eq
+
 dn: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 only:cn: memberservice
 default:objectClass: nsIndex