Bug 1974236

Summary: RFE automatique disable of virtual attribute checking
Product: Red Hat Enterprise Linux 8 Reporter: thierry bordaz <tbordaz>
Component: 389-ds-baseAssignee: thierry bordaz <tbordaz>
Status: ON_QA --- QA Contact: RHDS QE <ds-qe-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: ldap-maint, sgouvern
Target Milestone: betaKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: 389-ds-1.4-8060020211118202403.ce3e8c9c Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description thierry bordaz 2021-06-21 07:29:57 UTC
Description of problem:
During a SRCH, lookup for virtual attribute providers is done during evaluating a filter (against a candidate entry) and also for each returned attribute. The lookup of the virtual attribute hashtable is protected with a rwlock that creates contention, even if it is almost always free (in read). In addition the hashtable lookup is costly even if the search attribute is not present in the hashtable.

This was already detected to be an expensive component and a config attribute 'nsslapd-ignore-virtual-attrs' allows to skip virtual attribute lookup (see #511).

This attribute is 'off' by default, so most of the deployments, even if they do not use virtual attributes, are paying the cost of virtual attribute

Describe the solution you'd like
A first possibility is to set 'nsslapd-ignore-virtual-attrs: on' when there is no virtual attributes.
389-ds server defines virtual attributes with 'cos' and 'role' plugins. If there is cos/role definitions and if there is no custom plugin, then set 'nsslapd-ignore-virtual-attrs: on'.
This should be detected at startup and also requires cos/role plugin to enable the flag if a new definition comes in.

A second possibility is too have healthcheck, detecting the same (no cos/role definitions and no custom plugin)

A third possibility is to set 'nsslapd-ignore-virtual-attrs: on' by default and turn it on when a virtual attribute is inserted (other than 'dummyAttr').

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:
By default vattr are lookup

Expected results:
By default vattr should not be lookup

Additional info:

Comment 2 thierry bordaz 2021-09-06 15:21:02 UTC
Third option is not possible. The third option is to initialize ignore-vattr=True and set it on the fly to 'False" if a vattr is registered. The problem is that role plugin is enabled by default and registers 'nsrole'. So by default ignore-vattr would always be return to 'False.

Comment 5 thierry bordaz 2021-09-30 14:01:37 UTC
Fix pushed upstream => POST