sdap: optimize sdap_initgr_common_store() (rfc2307)#8459
Closed
alexey-tikhonov wants to merge 2 commits intoSSSD:masterfrom
Closed
sdap: optimize sdap_initgr_common_store() (rfc2307)#8459alexey-tikhonov wants to merge 2 commits intoSSSD:masterfrom
sdap_initgr_common_store() (rfc2307)#8459alexey-tikhonov wants to merge 2 commits intoSSSD:masterfrom
Conversation
`sdap_add_incomplete_groups()` had two separate steps: first it iterated the group name list checking each against sysdb to build a 'missing' list, then for each missing group it scanned the entire 'ldap_groups' array calling to find matching LDAP attributes. This resulted in O(N^2) behavior when all groups were missing (i.e. empty cache). Replace this with a single O(N) loop that iterates 'ldap_groups' directly: check sysdb, and if missing create the incomplete entry immediately. The 'sysdb_groupnames' parameter is removed as it is not used anymore. This patch also has an interesting side effect: it also makes `sysdb_update_members()` executed in the `sdap_initgr_common_store()` after `sdap_add_incomplete_groups()` faster. Most probably this is because previosuly O(N^2) allocations of `groupname` (by `sdap_get_group_primary_name()`) trashed memory, purging ldb/tdb data from the cache. Implementation assisted-by: Claude Code (Opus 4.6)
When an LDAP user is a member of many groups (rfc2307), handling of BE_REQ_INITGROUPS takes an extremely long time because: 1. `sdap_add_incomplete_groups()` iterates over all groups to create missing group entries 2. `sysdb_update_members()` iterates over all groups again to add the user as a member This patch eliminates the second iteration by adding user membership during step 1. The functions `sysdb_add_incomplete_group()` and `sdap_add_incomplete_groups()` now accept an optional `user_member` parameter. When provided, the user is added as a member of each group during group processing (both for newly created incomplete groups and for already existing groups). In `sdap_initgr_common_store()`, when the member type is SYSDB_MEMBER_USER, the username is provided to `sdap_add_incomplete_groups()` and `sysdb_update_members()` only handles group deletions. Implementation assisted-by: Claude Code (Opus 4.6)
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a significant performance optimization for group membership handling in RFC2307 environments. By combining the creation of incomplete groups and the addition of user memberships into a single pass within sdap_add_incomplete_groups, it effectively eliminates a redundant iteration. The code changes are well-structured and the logic is sound. I've identified one potential issue regarding error handling within a transaction that could lead to data inconsistency.
Member
Author
|
Testing suggest this patch doesn't provide real perf gains. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When an LDAP user is a member of many groups (rfc2307), handling of
BE_REQ_INITGROUPS takes an extremely long time because:
sdap_add_incomplete_groups()iterates over all groups to createmissing group entries
sysdb_update_members()iterates over all groups again to addthe user as a member
This patch eliminates the second iteration by adding user membership
during step 1. The functions
sysdb_add_incomplete_group()andsdap_add_incomplete_groups()now accept an optionaluser_memberparameter. When provided, the user is added as a member of each group
during group processing (both for newly created incomplete groups and
for already existing groups).
In
sdap_initgr_common_store(), when the member type is SYSDB_MEMBER_USER,the username is provided to
sdap_add_incomplete_groups()andsysdb_update_members()only handles group deletions.