When calculating indirect membership don't test nesting on users and hosts.

Members are dereferenced when calculating indirect membership. We don't need to check hosts and users for members. This significantly reduces the number of queries required for large groups. https://fedorahosted.org/freeipa/ticket/1885
2025-01-26 16:16:31 -06:00 · 2011-10-05 10:37:05 -04:00 · 2011-10-05 10:37:05 -04:00 · 03c8a34cb3
commit 03c8a34cb3
parent af63731363
1 changed files with 8 additions and 0 deletions
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@ -42,6 +42,7 @@ import ldap.sasl as _ldap_sasl
 from ldap.controls import LDAPControl
 # for backward compatibility
 from ldap.functions import explode_dn
+from ipalib.dn import DN

 import krbV

@ -987,6 +988,13 @@ class ldap2(CrudBackend, Encoder):
        if membertype == MEMBERS_ALL or membertype == MEMBERS_INDIRECT:
            checkmembers = copy.deepcopy(members)
            for member in checkmembers:
+                # No need to check entry types that are not nested for
+                # additional members
+                dn = DN(member)
+                if dn.endswith(DN(api.env.container_user, api.env.basedn)) or \
+                   dn.endswith(DN(api.env.container_host, api.env.basedn)):
+                        results.append([member, {}])
+                        continue
                try:
                    (result, truncated) = self.find_entries(searchfilter,
                        attr_list, member, time_limit=time_limit,