[PATCH] SYSDB: add index for nameAlias (master)
by Stephen Gallagher
SSSD 1.6.2 has a major performance issue due to the addition of the
alias support. We added a new attribute to the lookup filter, aliasName.
Unfortunately, we forgot to add an index to it and it's causing a severe
bottleneck in cache lookups.
12 years, 6 months
[PATCH] SYSDB: Update sysdb version to latest (1.6.x)
by Stephen Gallagher
SSSD 1.6.2 has a major performance issue due to the addition of the
alias support. We added a new attribute to the lookup filter, aliasName.
Unfortunately, we forgot to add an index to it and it's causing a severe
bottleneck in cache lookups.
12 years, 6 months
[PATCH] RESPONDER: Fix segfault in sss_packet_send()
by Stephen Gallagher
There are several places (all error-handling) where sss_cmd_done()
is called with no response packet created. As a short-term
solution, we need to check whether the packet is NULL and simply
return EINVAL. client_send() (the consumer) will then forcibly
disconnect the client (which will return PAM_SYSTEM_ERR to the
client).
This is a quick fix for
https://bugzilla.redhat.com/show_bug.cgi?id=748924
We don't have enough information (or steps to reproduce) to trace back
the processing to its origin, so the best thing we can do for the moment
is to simply prevent the crash. The client will receive an error, but
the SSSD will continue to function.
12 years, 6 months
[PATCHES] Support for multiple LDAP search bases
by Stephen Gallagher
These patches add support for multiple search bases for users and groups
in both direct-lookup and enumeration modes.
Addresses https://fedorahosted.org/sssd/ticket/868
Some notes: There is no patch adding multiple search base support for
group lookups in RFC2307bis because it's meaningless right now. Since
the group memberships are direct DNs, we do all of our searches as base
searches, ignoring group_search_base. There is a separate ticket,
https://fedorahosted.org/sssd/ticket/960 that will need to address this,
taking advantage of the multiple search base features.
Also, while working through this, I opened
https://fedorahosted.org/sssd/ticket/1006 as I noticed that we are using
far too many separate transactions while processing RFC2307bis (which is
likely the cause of the extreme slowdown that some of our users were
reporting with AD).
These patches don't really work separately, but they've been broken up
to make review much easier.
Patch 0001: Remove some unused options in a struct
Patch 0002: Fix size return for split_on_separator()
It was returning the size of the array, rather than the number of
elements. (The array was NULL-terminated). This argument was only
used in one place that was actually working around this odd return
value.
Patch 0003: Make sdap_get_id_specific_filter() more strict
Just makes it take const char * instead of char *.
Patch 0004: Add parser for multiple search bases
As discussed on the list, this will the ldap_*_search_base options in
the form of:
search_base[?scope?[filter][?search_base?scope?[filter]]*]
This is backwards-compatible (just use a search base)
Patch 0005: Add support for multiple search bases for users
Patch 0006: Add support for multiple search bases for netgroups
Patch 0007: Add support for multiple search bases for RFC2307 groups
Patch 0008: Add support for multiple search bases for initgroups (user
portion)
Patch 0009: Add support for multiple search bases for initgroups
(RFC2307 group portion)
Patch 0010: Add support for multiple search bases for initgroups
(RFC2307 group portion)
This patch I'm not 100% sure of. It may need more processing. With
RFC2307, it was safe to have duplicate groups in the list, because only
the group name is important (and we guarantee that the name list has
only unique values before saving it). With RFC2307bis, I'm not sure if
it's safe to add two groups that may have the same name. Comments
welcome.
Patch 0011: Update manpages with multiple search base information
Patch 0012: Convert ldap_*_search_filter
Instead of making this a global option for all user lookups, make it
only used if the search base is passed without an explicit filter. The
idea here is to deprecate the old separate ldap_user_search_filter and
ldap_group_search_filter options in favor of the new representation
(which is closer to the traditional nss_ldap representation).
Patch 0013: Add support for multiple search bases for user enumeration
Patch 0014: Add support for multiple search bases for group enumeration
This changes our behavior slightly with regard to handling direct
lookups that return more than one entry. In the old code, we had a bug
that would cause SSSD to treat this as an enumeration (instead of a
direct lookup). This was a bug and has been fixed incidentally as part
of this modification.
12 years, 6 months
[PATCH] Two deref fixes
by Jakub Hrozek
Simo was studying the dereference code lately and found two issues. #1
is an important bug, #2 is more of a cosmetic issue.
[PATCH 1/2] Use LDAPDerefSpec properly
ldap_create_deref_control_value expects an array of LDAPDerefSpec structures
with LDAPDerefSpec.derefAttr == NULL as a sentinel. We were passing a
single instance of a LDAPDerefSpec structure.
https://fedorahosted.org/sssd/ticket/1050
[PATCH 2/2] Remove confusing do-while loop
The deref processing would return a single control back. The do-while
loop was harmless but confusing.
12 years, 6 months
[PATCH] SYSDB: Update sysdb version to latest (1.5.x)
by Stephen Gallagher
SSSD 1.5.14 has a major performance issue due to the addition of the
alias support. We added a new attribute to the lookup filter, aliasName.
Unfortunately, we forgot to add an index to it and it's causing a severe
bottleneck in cache lookups.
Because 1.5.x is using an old version of the database schema, we need
this patch to update it to the latest version in master (plus the
aliasName index) in order to guarantee that we'll be able to upgrade
cleanly from 1.5.x to future versions.
I will be sending out 1.6.x and master patches shortly.
12 years, 6 months