IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
the problem was the inconsistency between the key form of DNs between
the itdb used for indexing and the on disk form
Thanks to Matthieu Patou for finding this bug!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
- The outside API contains "DN" string arguments: Bad. Since in this way we
fully rely on the outside calls regarding the right DN format. Solution: Use
always a "struct ldb_dn" entry. Since this one is interchangeable and we can
handle it in our preferred way.
- DN comparison: The function doesn't seem that efficient. I "upgraded" it a bit
to be more powerful (added a second length check and do both before the string
comparison)
The ldb_dn_explode code normally enforces all special characters,
including a '=', must be escaped. Unfortunately this conflicts with
the ltdb index DNs, which for binary attributes may be base64
encoded. This allows a unescaped '=' as a special case for index DNs.
Intuitively you would think it couldn't be longer than the minimum of
the two lists, but we are deliberately allowing for duplicates at this
level of the indexing code, which means the result can be longer
This gets rid of the @IDXPTR approach to in-transaction indexing,
instead using an in-memory tdb to hold index values during a
transaction. This also cleans up a lot of the internal indexing logic,
hopefully making it easier to understand.
One of the big changes is in memory management, with a lot more use
made of talloc tricks to avoid copying dn lists, and shortcuts used to
avoid high intersection and union calculation costs.
The overall result is that a re-provision on my laptop goes from 48s
to a bit over 10s.
When doing an indexed search if we hit a corrupt record we abandoned
the indexed search and did a full search. The problem was that we
might have sent some records to the caller already, which means the
caller ended up with duplicate records. Fix this by returning a search
error if indexing returns an error and we have given any records to
the caller.
This add --show-binary to ldbsearch. When this flag is set, binary
blobs will be shown as-is, instead of base64 encoded. This is useful
for some XML encoded attributes, and will also be used as part of some
NDR print formatting for attributes like repsTo.
When a attribute is marked unique we know that if we find a match
it will be the only possible match. This means that in a list of
subtrees connected by an &, it is best to first load the index values
for the unique entries, as if they find something then we know we
won't have to look any further.
This helps with searches like this:
(&(objectclass=user)(samaccountname=tridge))
the old code would first have loaded the very large index for the
objectclass=user attribute, and then loaded the single entry for
samaccountname=tridge. Now we load the samaccountname=tridge entry
first, notice that it gives us a single result, and stop, thereby
skipping the load of the objectclass=user index record completely.
When a attribute is marked as LDB_ATTR_FLAG_UNIQUE_INDEX then attempts
to add a 2nd record that has the same attribute value for this
attribute as another record will fail.
This provides a much more efficient mechanism for ensuring that
attributes like objectGUID are unique
one-level indexing was not always effective due to some broken logic
in the indexing code. This change means that if normal indexing fails,
we can still fall back on one-level indexing.
This reduces the number of full unindexed searches in s4 quite a lot
In some code paths ltdb_context was still referenced even after we were returned
an error by one of the callbacks. Because the interface assumes that once an
error is returned the ldb_request may be freed, and because the ltdb_context was
allocated as a child of the request, this might cause access to freed memory.
Allocate the ltdb_context on ldb, and keep track of what's going on with the
request by adding a spy children on it. This way even if the request is freed
before the ltdb_callback is called, we will safely free the ctx and just quietly
return.
Separate again the public from the private headers.
Add a new header specific for modules.
Also add service function for modules as now ldb_context and ldb_module are
opaque structures for them.
ldb indexing can cause huge files, and huge memory usage. This
experiment allows us to keep indexes in memory during a transaction,
then to write the indexes to disk when the transaction completes. The
result is that the db is much smaller (we have seen improvements of
about 100x in file size) and memory usage during large transactions is
also greatly reduced
Note that this patch uses the unusual strategy of putting pointers
into a ldb (and thus into a tdb). This works because the pointers are
only there during a transaction, so the pointers are not exposed to
any other users of the database. The pointers allow us to avoid some
really bad allocation problems with tdb record allocation during the
re-indexing.
re-indexing in ldb is triggered on any modification to the @ATTRIBUTES
or @INDEXLIST records. This happens to produce a worst-case
fragmentation of the database, as all @INDEX records are deleted then
re-created. By repacking after re-indexing we ensure that the database
ends up without extreme fragmentation.
Subclass support was designed to avoid needing to spell out the full
list of objectClasses that an entry was in. However, Samba4 now
enforces this restriction in the objectClass module, and the way
subclass matching was handled was complex and counter-intuitive in my
opinion (and did not match LDAP).
Andrew Bartlett
(This used to be commit f5ce04b904e14445a2a7e7f92e7e1f64b645c6f2)
