From 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 28 Sep 2020 13:20:45 +0200 Subject: [PATCH] Add more indices ipaCASubjectDN is used by lightweight sub CA feature. ipaExternalMember is used by KRB driver to assemble MS-PAC records. ipaNTSecurityIdentifier was only index for "pres" and was missing an index on "eq". Samba and ipasam perform queries with SID string. memberPrincipal is used by S4U2Proxy constrained delegation and by ipa-custodia. Also note that dnaHostname, ipServiceProtocol, ipaCertSubject, and ipaKeyUsage are currently not index because an index would rarely used or have a poor selectivity. Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy --- install/updates/20-indices.update | 43 ++++++++++++++++++++++++++++--- 1 file changed, 40 insertions(+), 3 deletions(-) diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index 249c3df0fbc..6632f105a98 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -27,15 +27,30 @@ # * uid: eq [IPA: +pres] # * uniqueMember: eq [IPA: +sub] # +# +# Unindex attributes +# ------------------ +# +# Some attributes are currently not indexed because an index would not be +# rarely used or have a poor selectivity. +# +# - dnaHostname: only used by update_dna_shared_config, server_del, and +# ipa-replica-install +# - ipServiceProtocol: not used by SSSD at the moment and has a poor +# selectivity ('tcp' or 'udp') +# - ipaCertSubject: only queried in update_fix_duplicate_cacrt_in_ldap +# - ipaKeyUsage: rarely used by ipa-custodia and poor selectivity +# ('digitalSignature' or 'dataEncipherment') +# +# Update rules +# ------------ +# # - cn uses "only" to avoid bugs like https://pagure.io/freeipa/issue/6975 # - nsIndexType and nsMatchingRule use "add" to allow users to add # additional index types and matching rules more easily. The "add" command # adds additional attribute values that are required by IPA but does not # remove user defined values. # -# NOTE: There is no index on ipServiceProtocol because the index would have -# poor selectivity. An ipService entry has either 'tcp' or 'udp' as protocol. -# # Please keep entries in alphanumeric order. # @@ -149,6 +164,13 @@ add:nsIndexType: eq add:nsIndexType: pres add:nsIndexType: sub +dn: cn=ipaCASubjectDN,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: ipaCASubjectDN +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq + dn: cn=ipaCertmapData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config only:cn: ipaCertmapData default:objectClass: nsIndex @@ -170,6 +192,13 @@ default:objectClass: top default:nsSystemIndex: false add:nsIndexType: eq +dn: cn=ipaExternalMember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: ipaExternalMember +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq + dn: cn=ipaKrbAuthzData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config only:cn: ipaKrbAuthzData default:objectClass: nsIndex @@ -216,6 +245,7 @@ only: cn: ipaNTSecurityIdentifier default: objectClass: top default: objectClass: nsIndex default: nsSystemIndex: false +add: nsIndexType: eq add: nsIndexType: pres dn: cn=ipaNTTrustPartner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config @@ -377,6 +407,13 @@ default:nsSystemIndex: false add:nsIndexType: eq add:nsIndexType: pres +dn: cn=memberPrincipal,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: memberPrincipal +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq + dn: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config only:cn: memberservice default:objectClass: nsIndex