Bug 1953656

Summary:	Cache LDAP data within a request
Product:	Red Hat Enterprise Linux 8	Reporter:	Rob Crittenden <rcritten>
Component:	ipa	Assignee:	Thomas Woerner <twoerner>
Status:	CLOSED ERRATA	QA Contact:	ipa-qe <ipa-qe>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.4	CC:	amore, rcritten, ssidhaye, tscherf
Target Milestone:	beta	Keywords:	Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-4.9.5-1	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-11-09 18:22:22 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Rob Crittenden 2021-04-26 15:14:33 UTC

This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/8798

As an IPA administrator I want to limit the number of LDAP searches performed by the IPA framework.

Each IPA command is implemented standalone but some call others (e.g. host-del calls service-del) so there are some repeated executions (like is DNS available). By caching some answers the total number of LDAP searches can be reduced.

The cache does not need to be particularly aggressive. Only single entry searches will need to be cached so:

- get_entries/find_entries are excluded. Keeping track of all the options plus the cache data would be too cumbersome and probably not pay off.
- cn=kerberos cannot be cached because kadmin/kadmin.local may operate directly on the data
- the above is a risk with modifying data directly in LDAP too but is expected to be less
- the cache is per-request so the size should be relatively small and will refresh on its own. The only risk is a humongous batch command.

Comment 1 Rob Crittenden 2021-05-12 14:47:23 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/d1f3ff5506b5ff9bcdc4aa75174cc32f6e4269c6
https://pagure.io/freeipa/c/8365d5e734be74b108465abf847160f05aadcb6a
https://pagure.io/freeipa/c/a4675f6f503b153d5adfcfae8c5c1a7a67bdb692
https://pagure.io/freeipa/c/3539857ecb156351f3385ddbcab029f22ee4afb4
https://pagure.io/freeipa/c/8d21df93522c7ef76ae03e6b5be303da68420f69
https://pagure.io/freeipa/c/1e9a238f358268f23cf359e57038014026fa50b0

Comment 2 Rob Crittenden 2021-05-12 15:56:41 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/d6637b2feb2008b4a9538518d5d08a0de79c5a68
https://pagure.io/freeipa/c/63767ec067a63811bf73a7314786123b2e89d5ff
https://pagure.io/freeipa/c/b37d679f1dad9fc93f2a8431b4aa62b25f48bcb7
https://pagure.io/freeipa/c/00c99cceb43d97a5331e0407337e845c710a51d4
https://pagure.io/freeipa/c/951720d4e66d313c537b003200efc3b33fe4b045
https://pagure.io/freeipa/c/0307d222acb8a6c675b985463f56f1071a4e5364

Comment 8 errata-xmlrpc 2021-11-09 18:22:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230