Bug 2189954

Summary: RFE Improve reponse time to filters containing 'nsrole'
Product: Red Hat Enterprise Linux 9 Reporter: thierry bordaz <tbordaz>
Component: 389-ds-baseAssignee: thierry bordaz <tbordaz>
Status: CLOSED ERRATA QA Contact: LDAP QA Team <idm-ds-qe-bugs>
Severity: high Docs Contact: Evgenia Martynyuk <emartyny>
Priority: high    
Version: 9.3CC: bsmejkal, emartyny, gfialova, idm-ds-dev-bugs, mreynolds, vashirov
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 9.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: 389-ds-base-2.3.4-3.el9 Doc Type: Enhancement
Doc Text:
.Directory Server now replaces the virtual attribute `nsRole` with an indexed attribute for managed and filtered roles Previously, LDAP searches that contained the virtual attribute `nsRole` in the filter were time consuming because that attribute cannot be indexed. With this update, when you perform the `ldapsearch` with virtual attribute `nsRole` in the filter, Directory Server replaces the `nsRole` attribute the following way: * For managed roles, the `nsRole` attribute is replaced with the `nsRoleDN` attribute. * For filtered roles, the `nsRole` attribute is replaced with the `nsRoleFilter` attribute. As a result, response time for search with the `nsRole` attribute improves because the search becomes indexed. Note that this update does not apply to nested roles.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:25:18 UTC Type: Enhancement
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2023-07-31   

Description thierry bordaz 2023-04-26 14:54:44 UTC 
Description of problem:

'nsrole' is a virtual attribute and is not indexed. With a poorly selective filter like below the search may be not indexed
     "(&(nsrole=cn=managed_role,cn=suffix)(objectclass=posixAccount)))"
    
The RFE is to rewrite the filter component containing 'nsrole' attribute type and assertion that are managed roles and filter roles
Comment 3 bsmejkal 2023-07-25 14:53:48 UTC 
============================================================================================================ test session starts =============================================================================================================
platform linux -- Python 3.9.17, pytest-7.4.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: .pytest_cache
metadata: {'Python': '3.9.17', 'Platform': 'Linux-5.14.0-339.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '7.4.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '3.0.0', 'html': '3.2.0', 'libfaketime': '0.1.2', 'flaky': '3.7.0'}}
389-ds-base: 2.3.4-3.el9
nss: 3.90.0-2.el9_2
nspr: 4.35.0-2.el9_2
openldap: 2.6.3-1.el9
cyrus-sasl: 2.1.27-21.el9
FIPS: disabled
rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests
configfile: pytest.ini
plugins: metadata-3.0.0, html-3.2.0, libfaketime-0.1.2, flaky-3.7.0
collected 8 items / 6 deselected / 2 selected                                                                                                                                                                                                

dirsrvtests/tests/suites/roles/basic_test.py::test_managed_and_filtered_role_rewrite PASSED                                                                                                                                            [ 50%]
dirsrvtests/tests/suites/roles/basic_test.py::test_not_such_entry_role_rewrite PASSED                                                                                                                                                  [100%]

========================================================================================== 2 passed, 6 deselected, 18 warnings in 127.66s (0:02:07) ==========================================================================================

Tests pass, however, we might need to adjust the wait time for import task in bdb . On slower machines it causes failure as the import task is still not done in the time limit.
It failed in gating but passes in 1mt.
Comment 6 bsmejkal 2023-07-26 09:46:38 UTC 
As per comment #c3 marking as VERIFIED.
Comment 9 errata-xmlrpc 2023-11-07 08:25:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds-base bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6350