Replace substring search with plain search in referint plugin

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/47411

• Created at 2013-06-27 21:57:20 by jcholast
• Closed as Fixed
• Assigned to mreynolds (@mreynolds389)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1393007
  • https://bugzilla.redhat.com/show_bug.cgi?id=1391324

---

Opened this ticket per Rich's request, see [https://www.redhat.com/archives/freeipa-devel/2013-June/msg00314.html|freeipa-devel]:

AFAIK, sub index is a very expensive index - as we discussed offline - adding Rich to advise and confirm this. I think you added it because some plugin was doing substring/wildcard search when an LDAP entry was being deleted - did you identify which one it is? Because I would rather get rid of the bad search than adding so many sub indices.

The search is hard-coded in the referint plugin, see https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/referint/referint.c#n745.

Not sure if it makes sense to do a wildcard/substr search here - >please file a ticket with 389 to investigate.

[389-ds-bot]

Comment from rmeggins (@richm) at 2013-07-31 21:40:58

It's still odd that whoever designed referint would have done a substring search - I think it's bogus but I just hope there was not a good reason . . . maybe for subtree rename?

For example, maybe when there is a subtree rename, we look for any group members that end with the old subtree? e.g. if ou=old,dc=example,dc=com is the old subtree, and ou=new,dc=example,dc=com is the new subtree, maybe referint is looking for (owner=*ou=old,dc=example,dc=com) - to match cn=1,ou=old,dc=example,dc=com and cn=2,ou=old,dc=example,dc=com etc. in order to change them to cn=1,ou=new,dc=example,dc=com etc.?

How does referint handle subtree rename?

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2013-07-31 22:24:48

revision 0001-Ticket-47411-Replace-substring-search-with-plain-sea.patch

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2013-07-31 22:26:06

Replying to [comment:5 richm]:

It's still odd that whoever designed referint would have done a substring search - I think it's bogus but I just hope there was not a good reason . . . maybe for subtree rename?

For example, maybe when there is a subtree rename, we look for any group members that end with the old subtree? e.g. if ou=old,dc=example,dc=com is the old subtree, and ou=new,dc=example,dc=com is the new subtree, maybe referint is looking for (owner=*ou=old,dc=example,dc=com) - to match cn=1,ou=old,dc=example,dc=com and cn=2,ou=old,dc=example,dc=com etc. in order to change them to cn=1,ou=new,dc=example,dc=com etc.?

How does referint handle subtree rename?

You are correct, we need the substring search when doing a modrdn operation. New patch attached.

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2013-08-01 01:16:38

git merge ticket47411 Updating ba70aac..a5dde49 Fast-forward ldap/servers/plugins/referint/referint.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-)

git push origin master ba70aac..a5dde49 master -> master

commit a5dde495a7df7b19fd71cccdb0eb1b91d1f73b58 Author: Mark Reynolds mreynolds389@redhat.com Date: Wed Jul 31 12:21:19 2013 -0400

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2017-02-11 23:06:21

Metadata Update from @mreynolds389:

• Issue assigned to mreynolds389
• Issue set to the milestone: 1.2.11.33