rpms
/
389-ds-base
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Bump version to 2.3.4-3 

Resolves: rhbz#2189954 - RFE Improve reponse time to filters containing 'nsrole'
Resolves: rhbz#2189946 - RFE support of slapi_memberof for plugins/core server
Resolves: rhbz#1974242 - Paged search impacts performance
This commit is contained in:
Mark Reynolds 2023-07-24 11:52:19 -04:00
parent 323f277c0e
commit 87b107cb4f
5 changed files with 7781 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

742
0001-Issue-5722-RFE-When-a-filter-contains-nsrole-improve.patch Normal file
View File

@ -0,0 +1,742 @@
From ca4f4e7712bd7960970f1b10fc859c8bc4679c18 Mon Sep 17 00:00:00 2001
From: tbordaz <tbordaz@redhat.com>
Date: Tue, 9 May 2023 15:06:55 +0200
Subject: [PATCH 1/5] Issue 5722 - RFE When a filter contains 'nsrole', improve
response time by rewriting the filter (#5723)
Bug description:
'nsrole' is a virtual attribute and is not indexed.
With a poorly selective filter like below the search may be not indexed
"(&(nsrole=cn=managed_role,cn=suffix)(objectclass=posixAccount)))"
The RFE is to rewrite the filter component contains 'nsrole'
attribute type.
Rewritten component can then been indexed
Fix description:
For managed role, it replaces 'nsrole' with 'nsroleDN'
attribute type
For filtered roled, it replace the 'nsrole' component
with the nsRoleFilter value
relates: #5722
Reviewed by: Pierre Rogier (Thanks)
---
dirsrvtests/tests/suites/roles/basic_test.py | 257 ++++++++++++++++++-
ldap/servers/plugins/roles/roles_cache.c | 204 +++++++++++++++
ldap/servers/slapd/back-ldbm/ldbm_attr.c | 67 +----
ldap/servers/slapd/filter.c | 66 +++++
ldap/servers/slapd/slapi-plugin.h | 3 +
5 files changed, 535 insertions(+), 62 deletions(-)
diff --git a/dirsrvtests/tests/suites/roles/basic_test.py b/dirsrvtests/tests/suites/roles/basic_test.py
index bc227a2d7..13d188d68 100644
--- a/dirsrvtests/tests/suites/roles/basic_test.py
+++ b/dirsrvtests/tests/suites/roles/basic_test.py
@@ -13,16 +13,22 @@ Importing necessary Modules.
import logging
import time
+import ldap
import os
import pytest
-from lib389._constants import PW_DM, DEFAULT_SUFFIX
+from lib389._constants import ErrorLog, PW_DM, DEFAULT_SUFFIX, DEFAULT_BENAME
from lib389.idm.user import UserAccount, UserAccounts
from lib389.idm.organization import Organization
from lib389.idm.organizationalunit import OrganizationalUnit
from lib389.topologies import topology_st as topo
from lib389.idm.role import FilteredRoles, ManagedRoles, NestedRoles
from lib389.idm.domain import Domain
+from lib389.dbgen import dbgen_users
+from lib389.tasks import ImportTask
+from lib389.utils import get_default_db_lib
+from lib389.rewriters import *
+from lib389.backend import Backends
logging.getLogger(__name__).setLevel(logging.INFO)
log = logging.getLogger(__name__)
@@ -504,6 +510,255 @@ def test_vattr_on_managed_role(topo, request):
request.addfinalizer(fin)
+def test_managed_and_filtered_role_rewrite(topo, request):
+ """Test that filter components containing 'nsrole=xxx'
+ are reworked if xxx is either a filtered role or a managed
+ role.
+
+ :id: e30ff5ed-4f8b-48db-bb88-66f150fca31f
+ :setup: server
+ :steps:
+ 1. Setup nsrole rewriter
+ 2. Add a 'nsroleDN' indexes for managed roles
+ 3. Create an 90K ldif files
+ This is large so that unindex search will last long
+ 4. import/restart the instance
+ 5. Create a managed role and add 4 entries in that role
+ 6. Check that a search 'nsrole=managed_role' is fast
+ 7. Create a filtered role that use an indexed attribute (givenName)
+ 8. Check that a search 'nsrole=filtered_role' is fast
+ :expectedresults:
+ 1. Operation should succeed
+ 2. Operation should succeed
+ 3. Operation should succeed
+ 4. Operation should succeed
+ 5. Operation should succeed
+ 6. Operation should succeed
+ 7. Operation should succeed
+ 8. Operation should succeed
+ """
+ # Setup nsrole rewriter
+ rewriters = Rewriters(topo.standalone)
+ rewriter = rewriters.ensure_state(properties={"cn": "nsrole", "nsslapd-libpath": 'libroles-plugin'})
+ try:
+ rewriter.add('nsslapd-filterrewriter', "role_nsRole_filter_rewriter")
+ except:
+ pass
+
+ # Create an index for nsRoleDN that is used by managed role
+ attrname = 'nsRoleDN'
+ backends = Backends(topo.standalone)
+ backend = backends.get(DEFAULT_BENAME)
+ indexes = backend.get_indexes()
+ try:
+ index = indexes.create(properties={
+ 'cn': attrname,
+ 'nsSystemIndex': 'false',
+ 'nsIndexType': ['eq', 'pres']
+ })
+ except:
+ pass
+
+ # Build LDIF file
+ bdb_values = {
+ 'wait30': 30
+ }
+
+ # Note: I still sometime get failure with a 60s timeout so lets use 90s
+ mdb_values = {
+ 'wait30': 90
+ }
+
+ if get_default_db_lib() == 'bdb':
+ values = bdb_values
+ else:
+ values = mdb_values
+
+ ldif_dir = topo.standalone.get_ldif_dir()
+ import_ldif = ldif_dir + '/perf_import.ldif'
+
+ RDN="userNew"
+ PARENT="ou=people,%s" % DEFAULT_SUFFIX
+ dbgen_users(topo.standalone, 90000, import_ldif, DEFAULT_SUFFIX, entry_name=RDN, generic=True, parent=PARENT)
+
+ # online import
+ import_task = ImportTask(topo.standalone)
+ import_task.import_suffix_from_ldif(ldiffile=import_ldif, suffix=DEFAULT_SUFFIX)
+ import_task.wait(values['wait30']) # If things go wrong import takes a lot longer than this
+ assert import_task.is_complete()
+
+ # Restart server
+ topo.standalone.restart()
+
+ # Create Managed role entry
+ managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
+ role = managed_roles.create(properties={"cn": 'MANAGED_ROLE'})
+
+ # Assign managed role to 4 entries out of the 90K
+ for i in range(1, 5):
+ dn = "uid=%s0000%d,%s" % (RDN, i, PARENT)
+ topo.standalone.modify_s(dn, [(ldap.MOD_REPLACE, 'nsRoleDN', [role.dn.encode()])])
+
+
+ # Now check that search is fast, evaluating only 4 entries
+ search_start = time.time()
+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, "(nsrole=%s)" % role.dn)
+ duration = time.time() - search_start
+ log.info("Duration of the search was %f", duration)
+ assert(len(entries) == 4)
+ assert (duration < 1)
+
+ # Restart server to refresh entrycache
+ topo.standalone.restart()
+
+ # Create Filtered Role entry
+ # it uses 'givenName' attribute that is indexed (eq) by default
+ filtered_roles = FilteredRoles(topo.standalone, DEFAULT_SUFFIX)
+ role = filtered_roles.create(properties={'cn': 'FILTERED_ROLE', 'nsRoleFilter': 'givenName=Technical'})
+
+ # Now check that search is fast
+ search_start = time.time()
+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, "(nsrole=%s)" % role.dn)
+ duration = time.time() - search_start
+ log.info("Duration of the search was %f", duration)
+ assert (duration < 1)
+
+ def fin():
+ topo.standalone.restart()
+ try:
+ managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
+ for i in managed_roles.list():
+ i.delete()
+ filtered_roles = FilteredRoles(topo.standalone, DEFAULT_SUFFIX)
+ for i in filtered_roles.list():
+ i.delete()
+ except:
+ pass
+ os.remove(import_ldif)
+
+ request.addfinalizer(fin)
+
+def test_not_such_entry_role_rewrite(topo, request):
+ """Test that filter components containing 'nsrole=xxx'
+ ,where xxx does not refer to any role definition,
+ replace the component by 'nsuniqueid=-1'
+
+ :id: b098dda5-fc77-46c4-84a7-5d0c7035bb77
+ :setup: server
+ :steps:
+ 1. Setup nsrole rewriter
+ 2. Add a 'nsroleDN' indexes for managed roles
+ 3. Create an 90K ldif files
+ This is large so that unindex search will last long
+ 4. import/restart the instance
+ 5. Create a managed role and add 4 entries in that role
+ 6. Enable plugin log level to capture role plugin message
+ 7. Check that a search is fast "(OR(nsrole=managed_role)(nsrole=not_existing_role))"
+ 8. Stop the instance
+ 9. Check that a message like this was logged: replace (nsrole=not_existing_role) by (nsuniqueid=-1)
+ :expectedresults:
+ 1. Operation should succeed
+ 2. Operation should succeed
+ 3. Operation should succeed
+ 4. Operation should succeed
+ 5. Operation should succeed
+ 6. Operation should succeed
+ 7. Operation should succeed
+ 8. Operation should succeed
+ 9. Operation should succeed
+ """
+ # Setup nsrole rewriter
+ rewriters = Rewriters(topo.standalone)
+ rewriter = rewriters.ensure_state(properties={"cn": "nsrole", "nsslapd-libpath": 'libroles-plugin'})
+ try:
+ rewriter.add('nsslapd-filterrewriter', "role_nsRole_filter_rewriter")
+ except:
+ pass
+
+ # Create an index for nsRoleDN that is used by managed role
+ attrname = 'nsRoleDN'
+ backends = Backends(topo.standalone)
+ backend = backends.get(DEFAULT_BENAME)
+ indexes = backend.get_indexes()
+ try:
+ index = indexes.create(properties={
+ 'cn': attrname,
+ 'nsSystemIndex': 'false',
+ 'nsIndexType': ['eq', 'pres']
+ })
+ except:
+ pass
+
+ # Build LDIF file
+ bdb_values = {
+ 'wait60': 60
+ }
+
+ # Note: I still sometime get failure with a 60s timeout so lets use 90s
+ mdb_values = {
+ 'wait60': 90
+ }
+
+ if get_default_db_lib() == 'bdb':
+ values = bdb_values
+ else:
+ values = mdb_values
+
+ ldif_dir = topo.standalone.get_ldif_dir()
+ import_ldif = ldif_dir + '/perf_import.ldif'
+
+ RDN="userNew"
+ PARENT="ou=people,%s" % DEFAULT_SUFFIX
+ dbgen_users(topo.standalone, 90000, import_ldif, DEFAULT_SUFFIX, entry_name=RDN, generic=True, parent=PARENT)
+
+ # online import
+ import_task = ImportTask(topo.standalone)
+ import_task.import_suffix_from_ldif(ldiffile=import_ldif, suffix=DEFAULT_SUFFIX)
+ import_task.wait(values['wait60']) # If things go wrong import takes a lot longer than this
+ assert import_task.is_complete()
+
+ # Restart server
+ topo.standalone.restart()
+
+ # Create Managed role entry
+ managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
+ role = managed_roles.create(properties={"cn": 'MANAGED_ROLE'})
+
+ # Assign managed role to 4 entries out of the 90K
+ for i in range(1, 5):
+ dn = "uid=%s0000%d,%s" % (RDN, i, PARENT)
+ topo.standalone.modify_s(dn, [(ldap.MOD_REPLACE, 'nsRoleDN', [role.dn.encode()])])
+
+ # Enable plugin level to check message
+ topo.standalone.config.loglevel(vals=(ErrorLog.DEFAULT,ErrorLog.PLUGIN))
+
+ # Now check that search is fast, evaluating only 4 entries
+ search_start = time.time()
+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, "(|(nsrole=%s)(nsrole=cn=not_such_entry_role,%s))" % (role.dn, DEFAULT_SUFFIX))
+ duration = time.time() - search_start
+ log.info("Duration of the search was %f", duration)
+ assert(len(entries) == 4)
+ assert (duration < 1)
+
+ # Restart server to refresh entrycache
+ topo.standalone.stop()
+
+ # Check that when the role does not exist it is translated into 'nsuniqueid=-1'
+ pattern = ".*replace \(nsRole=cn=not_such_entry_role,dc=example,dc=com\) by \(nsuniqueid=-1\).*"
+ assert topo.standalone.ds_error_log.match(pattern)
+
+ def fin():
+ topo.standalone.restart()
+ try:
+ managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
+ for i in managed_roles.list():
+ i.delete()
+ except:
+ pass
+ os.remove(import_ldif)
+
+ request.addfinalizer(fin)
+
if __name__ == "__main__":
CURRENT_FILE = os.path.realpath(__file__)
pytest.main("-s -v %s" % CURRENT_FILE)
diff --git a/ldap/servers/plugins/roles/roles_cache.c b/ldap/servers/plugins/roles/roles_cache.c
index 5fd52e7b9..bbed11802 100644
--- a/ldap/servers/plugins/roles/roles_cache.c
+++ b/ldap/servers/plugins/roles/roles_cache.c
@@ -2131,3 +2131,207 @@ roles_cache_dump(caddr_t data, caddr_t arg __attribute__((unused)))
return 0;
}
+
+
+/* This is an example callback to substitute
+ * attribute type 'from' with 'to' in all
+ * the filter components
+ * example_substitute_type is a callback (FILTER_APPLY_FN) used by slapi_filter_apply
+ * typedef int (FILTER_APPLY_FN)(Slapi_Filter f, void *arg)
+ * To stick to the definition, the callback is defined using 'int' rather 'int32_t'
+ */
+typedef struct {
+ char *attrtype_from;
+ char *attrtype_to;
+} role_substitute_type_arg_t;
+
+
+static void
+_rewrite_nsrole_component(Slapi_Filter *f, role_substitute_type_arg_t *substitute_arg)
+{
+ char *type;
+ struct berval *bval;
+ char *attrs[3] = {SLAPI_ATTR_OBJECTCLASS, ROLE_FILTER_ATTR_NAME, NULL};
+ Slapi_Entry *nsrole_entry = NULL;
+ Slapi_DN *sdn = NULL;
+ char *rolefilter = NULL;
+ int rc;
+ char **oc_values = NULL;
+
+ /* Substitution is only valid if original attribute is NSROLEATTR */
+ if ((substitute_arg == NULL) ||
+ (substitute_arg->attrtype_from == NULL) ||
+ (substitute_arg->attrtype_to == NULL)) {
+ return;
+ }
+ if (strcasecmp(substitute_arg->attrtype_from, NSROLEATTR)) {
+ return;
+ }
+ if (slapi_filter_get_choice(f) != LDAP_FILTER_EQUALITY) {
+ /* only equality filter are handled
+ * else it is not possible to retrieve the role
+ * via its DN.
+ * Safety checking, at this point filter component has
+ * already been tested as equality match.
+ */
+ return;
+ }
+
+ /* Check that assertion does not refer to a filter/nested role */
+ if (slapi_filter_get_ava(f, &type, &bval)) {
+ return;
+ }
+ sdn = slapi_sdn_new_dn_byref(bval->bv_val);
+ rc = slapi_search_internal_get_entry(sdn, attrs, &nsrole_entry, roles_get_plugin_identity());
+ if (rc != LDAP_SUCCESS) {
+ if (rc == LDAP_NO_SUCH_OBJECT) {
+ /* the role does not exist (nsrole=<unknown role>)
+ * that means no entry match this component. To speed up
+ * the built of candidate list we may replace this component
+ * with an indexed component that return empty IDL.
+ * nsuniqueid is indexed and -1 is an invalid value.
+ */
+ char *empty_IDL_filter;
+ empty_IDL_filter = slapi_ch_smprintf("(%s=-1)", SLAPI_ATTR_UNIQUEID);
+ slapi_filter_replace_strfilter(f, empty_IDL_filter);
+ slapi_log_err(SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "_rewrite_nsrole_component: replace (%s=%s) by %s\n",
+ substitute_arg->attrtype_from, (char *)slapi_sdn_get_ndn(sdn), empty_IDL_filter);
+ slapi_ch_free_string(&empty_IDL_filter);
+
+ }
+ goto bail;
+ }
+ oc_values = slapi_entry_attr_get_charray(nsrole_entry, SLAPI_ATTR_OBJECTCLASS);
+ rolefilter = slapi_entry_attr_get_charptr(nsrole_entry, ROLE_FILTER_ATTR_NAME);
+ for (size_t i = 0; oc_values && oc_values[i]; ++i) {
+ if (!strcasecmp(oc_values[i], (char *)"nsSimpleRoleDefinition") ||
+ !strcasecmp(oc_values[i], (char *)"nsManagedRoleDefinition")) {
+ /* This is a managed role, okay to rewrite the attribute type */
+ slapi_filter_changetype(f, substitute_arg->attrtype_to);
+ goto bail;
+ } else if (!strcasecmp(oc_values[i], (char *)"nsFilteredRoleDefinition") && rolefilter) {
+ /* filtered role, okay to rewrite the filter with
+ * the value of the nsRoleFilter
+ */
+ slapi_filter_replace_strfilter(f, rolefilter);
+ goto bail;
+ } else if (!strcasecmp(oc_values[i], (char *)"nsNestedRoleDefinition")) {
+ /* nested roles can not be rewritten */
+ goto bail;
+ }
+ }
+
+bail:
+ slapi_ch_free_string(&rolefilter);
+ slapi_ch_array_free(oc_values);
+ slapi_entry_free(nsrole_entry);
+ slapi_sdn_free(&sdn);
+ return;
+}
+
+/* It calls _rewrite_nsrole_component for each filter component with
+ * - filter choice LDAP_FILTER_EQUALITY
+ * - filter attribute type nsRole
+ */
+static int
+role_substitute_type(Slapi_Filter *f, void *arg)
+{
+ role_substitute_type_arg_t *substitute_arg = (role_substitute_type_arg_t *) arg;
+ char *filter_type;
+
+ if ((substitute_arg == NULL) ||
+ (substitute_arg->attrtype_from == NULL) ||
+ (substitute_arg->attrtype_to == NULL)) {
+ return SLAPI_FILTER_SCAN_STOP;
+ }
+
+ if (slapi_filter_get_choice(f) != LDAP_FILTER_EQUALITY) {
+ /* only equality filter are handled
+ * else it is not possible to retrieve the role
+ * via its DN
+ */
+ return SLAPI_FILTER_SCAN_CONTINUE;
+ }
+
+ /* In case this is expected attribute type and assertion
+ * Substitute 'from' by 'to' attribute type in the filter
+ */
+ if (slapi_filter_get_attribute_type(f, &filter_type) == 0) {
+ if ((strcasecmp(filter_type, substitute_arg->attrtype_from) == 0)) {
+ _rewrite_nsrole_component(f, substitute_arg);
+ }
+ }
+
+ /* Return continue because we should
+ * substitute 'from' in all filter components
+ */
+ return SLAPI_FILTER_SCAN_CONTINUE;
+}
+
+
+/*
+ * During PRE_SEARCH, rewriters (a.k.a computed attributes) are called
+ * to rewrite some search filter components.
+ * Rewriters callbacks are registered by main and are retrieved from
+ * config entries under cn=rewriters,cn=config.
+ *
+ * In order to register the role rewriter, the following record
+ * is added to the config.
+ *
+ * dn: cn=role,cn=rewriters,cn=config
+ * objectClass: top
+ * objectClass: extensibleObject
+ * cn: role
+ * nsslapd-libpath: /lib/dirsrv/libslapd.so
+ * nsslapd-filterrewriter: role_nsRole_filter_rewriter
+ *
+ * The role rewriter supports:
+ * - 'nsrole' attribute type
+ * - LDAP_FILTER_EQUALITY filter choice
+ * - assertion being a managed/filtered role DN
+ *
+ * - Input '(nsrole=cn=admin1,dc=example,dc=com)'
+ * Output '(nsroleDN=cn=admin1,dc=example,dc=com)'
+ * - Input '(nsrole=cn=SalesManagerFilter,ou=people,dc=example,dc=com)'
+ * Output '(manager=user008762)'
+ *
+ * dn: cn=admin1,dc=example,dc=com
+ * ...
+ * objectClass: nsRoleDefinition
+ * objectClass: nsManagedRoleDefinition
+ * ...
+ *
+ * dn: cn=SalesManagerFilter,ou=people,dc=example,dc=com
+ * ...
+ * objectclass: nsRoleDefinition
+ * objectclass: nsFilteredRoleDefinition
+ * ...
+ * nsRoleFilter: manager=user008762
+ *
+ * return code (from computed.c:compute_rewrite_search_filter):
+ * -1 : keep looking
+ * 0 : rewrote OK
+ * 1 : refuse to do this search
+ * 2 : operations error
+ */
+int32_t
+role_nsRole_filter_rewriter(Slapi_PBlock *pb)
+{
+ Slapi_Filter *clientFilter = NULL;
+ int error_code = 0;
+ int rc;
+ role_substitute_type_arg_t arg;
+ arg.attrtype_from = NSROLEATTR;
+ arg.attrtype_to = ROLE_MANAGED_ATTR_NAME;
+
+ slapi_pblock_get(pb, SLAPI_SEARCH_FILTER, &clientFilter);
+ rc = slapi_filter_apply(clientFilter, role_substitute_type, &arg, &error_code);
+ if (rc == SLAPI_FILTER_SCAN_NOMORE) {
+ return SEARCH_REWRITE_CALLBACK_CONTINUE; /* Let's others rewriter play */
+ } else {
+ slapi_log_err(SLAPI_LOG_ERR,
+ "example_foo2cn_filter_rewriter", "Could not update the search filter - error %d (%d)\n",
+ rc, error_code);
+ return SEARCH_REWRITE_CALLBACK_ERROR; /* operation error */
+ }
+}
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_attr.c b/ldap/servers/slapd/back-ldbm/ldbm_attr.c
index 1d86c2db4..07f3058a3 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_attr.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_attr.c
@@ -1039,33 +1039,6 @@ ldbm_compute_evaluator(computed_attr_context *c, char *type, Slapi_Entry *e, sla
*/
-/* Before calling this function, you must free all the parts
- which will be overwritten, this function dosn't know
- how to do that */
-static int
-replace_filter(Slapi_Filter *f, char *s)
-{
- Slapi_Filter *newf = NULL;
- Slapi_Filter *temp = NULL;
- char *buf = slapi_ch_strdup(s);
-
- newf = slapi_str2filter(buf);
- slapi_ch_free((void **)&buf);
-
- if (NULL == newf) {
- return -1;
- }
-
- /* Now take the parts of newf and put them in f */
- /* An easy way to do this is to preserve the "next" ptr */
- temp = f->f_next;
- *f = *newf;
- f->f_next = temp;
- /* Free the new filter husk */
- slapi_ch_free((void **)&newf);
- return 0;
-}
-
static void
find_our_friends(char *s, int *has, int *num)
{
@@ -1075,30 +1048,6 @@ find_our_friends(char *s, int *has, int *num)
}
}
-/* Free the parts of a filter we're about to overwrite */
-void
-free_the_filter_bits(Slapi_Filter *f)
-{
- /* We need to free: */
- switch (f->f_choice) {
- case LDAP_FILTER_EQUALITY:
- case LDAP_FILTER_GE:
- case LDAP_FILTER_LE:
- case LDAP_FILTER_APPROX:
- ava_done(&f->f_ava);
- break;
-
- case LDAP_FILTER_PRESENT:
- if (f->f_type != NULL) {
- slapi_ch_free((void **)&(f->f_type));
- }
- break;
-
- default:
- break;
- }
-}
-
static int
grok_and_rewrite_filter(Slapi_Filter *f)
{
@@ -1116,11 +1065,9 @@ grok_and_rewrite_filter(Slapi_Filter *f)
rhs = f->f_ava.ava_value.bv_val;
if (has) {
if (0 == strcasecmp(rhs, "TRUE")) {
- free_the_filter_bits(f);
- replace_filter(f, "(&(numsubordinates=*)(numsubordinates>=1))");
+ slapi_filter_replace_strfilter(f, "(&(numsubordinates=*)(numsubordinates>=1))");
} else if (0 == strcasecmp(rhs, "FALSE")) {
- free_the_filter_bits(f);
- replace_filter(f, "(&(objectclass=*)(!(numsubordinates=*)))");
+ slapi_filter_replace_strfilter(f, "(&(objectclass=*)(!(numsubordinates=*)))");
} else {
return 1; /* Filter we can't rewrite */
}
@@ -1133,7 +1080,7 @@ grok_and_rewrite_filter(Slapi_Filter *f)
char *theType = f->f_ava.ava_type;
rhs_berval = f->f_ava.ava_value;
- replace_filter(f, "(&(numsubordinates=*)(numsubordinates=x))");
+ slapi_filter_replace_ex(f, "(&(numsubordinates=*)(numsubordinates=x))");
/* Now fixup the resulting filter so that x = rhs */
slapi_ch_free((void **)&(f->f_and->f_next->f_ava.ava_value.bv_val));
/*free type also */
@@ -1143,8 +1090,7 @@ grok_and_rewrite_filter(Slapi_Filter *f)
} else {
if (rhs_number == 0) {
/* This is the same as hassubordinates=FALSE */
- free_the_filter_bits(f);
- replace_filter(f, "(&(objectclass=*)(!(numsubordinates=*)))");
+ slapi_filter_replace_strfilter(f, "(&(objectclass=*)(!(numsubordinates=*)))");
} else {
return 1;
}
@@ -1166,14 +1112,13 @@ grok_and_rewrite_filter(Slapi_Filter *f)
rhs_num = atoi(rhs);
if (0 == rhs_num) {
/* If so, rewrite to same as numsubordinates=* */
- free_the_filter_bits(f);
- replace_filter(f, "(objectclass=*)");
+ slapi_filter_replace_strfilter(f, "(objectclass=*)");
} else {
/* Rewrite to present and GE the rhs */
char *theType = f->f_ava.ava_type;
rhs_berval = f->f_ava.ava_value;
- replace_filter(f, "(&(numsubordinates=*)(numsubordinates>=x))");
+ slapi_filter_replace_ex(f, "(&(numsubordinates=*)(numsubordinates>=x))");
/* Now fixup the resulting filter so that x = rhs */
slapi_ch_free((void **)&(f->f_and->f_next->f_ava.ava_value.bv_val));
/*free type also */
diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c
index 1f0873c34..44b726a34 100644
--- a/ldap/servers/slapd/filter.c
+++ b/ldap/servers/slapd/filter.c
@@ -1032,6 +1032,72 @@ slapi_filter_get_subfilt(
return (0);
}
+/*
+ * Before calling this function, you must free all the parts
+ * which will be overwritten (i.e. slapi_free_the_filter_bits),
+ * this function dosn't know how to do that
+ */
+int
+slapi_filter_replace_ex(Slapi_Filter *f, char *s)
+{
+ Slapi_Filter *newf = NULL;
+ Slapi_Filter *temp = NULL;
+ char *buf = slapi_ch_strdup(s);
+
+ newf = slapi_str2filter(buf);
+ slapi_ch_free((void **)&buf);
+
+ if (NULL == newf) {
+ return -1;
+ }
+
+ /* Now take the parts of newf and put them in f */
+ /* An easy way to do this is to preserve the "next" ptr */
+ temp = f->f_next;
+ *f = *newf;
+ f->f_next = temp;
+ /* Free the new filter husk */
+ slapi_ch_free((void **)&newf);
+ return 0;
+}
+
+/*
+ * Free the parts of a filter we're about to overwrite
+ * moved from ldbm_attr.c
+ */
+void
+slapi_filter_free_bits(Slapi_Filter *f)
+{
+ /* We need to free: */
+ switch (f->f_choice) {
+ case LDAP_FILTER_EQUALITY:
+ case LDAP_FILTER_GE:
+ case LDAP_FILTER_LE:
+ case LDAP_FILTER_APPROX:
+ ava_done(&f->f_ava);
+ break;
+
+ case LDAP_FILTER_PRESENT:
+ if (f->f_type != NULL) {
+ slapi_ch_free((void **)&(f->f_type));
+ }
+ break;
+
+ default:
+ break;
+ }
+}
+
+/*
+ * it replaces the bits of the Slapi_Filter with the ones taken from strfilter
+ */
+int
+slapi_filter_replace_strfilter(Slapi_Filter *f, char *strfilter)
+{
+ slapi_filter_free_bits(f);
+ return (slapi_filter_replace_ex(f, strfilter));
+}
+
static void
filter_normalize_ava(struct slapi_filter *f, PRBool norm_values)
{
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index e1f7beba5..79d04e418 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -5240,6 +5240,9 @@ int slapi_filter_get_choice(Slapi_Filter *f);
int slapi_filter_get_ava(Slapi_Filter *f, char **type, struct berval **bval);
int slapi_filter_get_attribute_type(Slapi_Filter *f, char **type);
int slapi_filter_get_subfilt(Slapi_Filter *f, char **type, char **initial, char ***any, char ** final);
+int slapi_filter_replace_ex(Slapi_Filter *f, char *s);
+void slapi_filter_free_bits(Slapi_Filter *f);
+int slapi_filter_replace_strfilter(Slapi_Filter *f, char *strfilter);
Slapi_Filter *slapi_filter_list_first(Slapi_Filter *f);
Slapi_Filter *slapi_filter_list_next(Slapi_Filter *f, Slapi_Filter *fprev);
Slapi_Filter *slapi_str2filter(char *str);
--
2.41.0

6384
0002-Issue-5156-RFE-that-implement-slapi_memberof-5694.patch Normal file
View File

File diff suppressed because it is too large Load Diff

33
0003-Issue-5551-Almost-empty-and-not-loaded-ns-slapd-high.patch Normal file
View File

@ -0,0 +1,33 @@
From 528c1e6b31e97bdd8ed43f04d56584f220ace403 Mon Sep 17 00:00:00 2001
From: John Obaterspok <john.obaterspok@gmail.com>
Date: Thu, 29 Jun 2023 19:19:27 +0200
Subject: [PATCH 3/5] Issue 5551 - Almost empty and not loaded ns-slapd high
cpu load
Bug Description: stracing the ns-slapd process one can see nanosleep gets called a lot as we only sleep for 1ms
Fix Description: Increasing the sleep time from 1ms to 500ms and the cpu usage will drop drop a few percent and strace will be more usable
relates: https://github.com/389ds/389-ds-base/issues/5551
Reviewd by: @mreynolds389
---
ldap/servers/slapd/daemon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index f0526684d..c5ad5ee0f 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -1119,7 +1119,7 @@ slapd_daemon(daemon_ports_t *ports)
/* The meat of the operation is in a loop on a call to select */
while (!g_get_shutdown()) {
- usleep(1000);
+ usleep(500 * 1000);
}
/* We get here when the server is shutting down */
/* Do what we have to do before death */
--
2.41.0

611
0004-Issue-4551-Paged-search-impacts-performance-5838.patch Normal file
View File

@ -0,0 +1,611 @@
From e8e73bf1434f8f459b9cdaee001fb2b6f161a6eb Mon Sep 17 00:00:00 2001
From: progier389 <progier@redhat.com>
Date: Tue, 18 Jul 2023 11:17:07 +0200
Subject: [PATCH 4/5] Issue 4551 - Paged search impacts performance (#5838)
* Issue 4551 - Paged search impacts performance
Problem:
Having a script looping doing a search with paged result impact greatly the performance of other clients
(for example ldclt bind+search rate decreased by 80% in the test case)
Cause:
Page result field in connection were protected by the connection mutex that is also used by the listener thread, in some cases this cause contention that delays the handling of new operations
Solution:
Do not rely on the connection mutex to protect the page result context but on a dedicated array of locks.
(cherry picked from commit 3c510e0a26e321949b552b5e8c887634d9d7e63e)
---
ldap/servers/slapd/daemon.c | 1 +
ldap/servers/slapd/main.c | 2 +
ldap/servers/slapd/opshared.c | 20 +++--
ldap/servers/slapd/pagedresults.c | 134 ++++++++++++++++++------------
ldap/servers/slapd/proto-slap.h | 3 +
5 files changed, 98 insertions(+), 62 deletions(-)
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index c5ad5ee0f..01168275f 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -1211,6 +1211,7 @@ slapd_daemon(daemon_ports_t *ports)
slapi_log_err(SLAPI_LOG_TRACE, "slapd_daemon",
"slapd shutting down - waiting for backends to close down\n");
+ pageresult_lock_cleanup();
eq_stop(); /* deprecated */
eq_stop_rel();
if (!in_referral_mode) {
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index f24650547..deae0af3b 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -1007,6 +1007,7 @@ main(int argc, char **argv)
eq_init_rel(); /* must be done before plugins started */
ps_init_psearch_system(); /* must come before plugin_startall() */
+ pageresult_lock_init();
/* initialize UniqueID generator - must be done once backends are started
@@ -2265,6 +2266,7 @@ slapd_exemode_db2ldif(int argc, char **argv, struct main_config *mcfg)
eq_init_rel(); /* must be done before plugins started */
ps_init_psearch_system(); /* must come before plugin_startall() */
+ pageresult_lock_init();
plugin_startall(argc, argv, plugin_list);
eq_start(); /* must be done after plugins started - DEPRECATED*/
eq_start_rel(); /* must be done after plugins started */
diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c
index 789bd2e4f..a842d4249 100644
--- a/ldap/servers/slapd/opshared.c
+++ b/ldap/servers/slapd/opshared.c
@@ -271,6 +271,7 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
int pr_idx = -1;
Slapi_DN *orig_sdn = NULL;
int free_sdn = 0;
+ pthread_mutex_t *pagedresults_mutex = NULL;
be_list[0] = NULL;
referral_list[0] = NULL;
@@ -576,6 +577,7 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
int32_t tlimit;
slapi_pblock_get(pb, SLAPI_SEARCH_TIMELIMIT, &tlimit);
pagedresults_set_timelimit(pb_conn, operation, (time_t)tlimit, pr_idx);
+ pagedresults_mutex = pageresult_lock_get_addr(pb_conn);
}
/*
@@ -696,7 +698,7 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
* In async paged result case, the search result might be released
* by other theads. We need to double check it in the locked region.
*/
- pthread_mutex_lock(&(pb_conn->c_mutex));
+ pthread_mutex_lock(pagedresults_mutex);
pr_search_result = pagedresults_get_search_result(pb_conn, operation, 1 /*locked*/, pr_idx);
if (pr_search_result) {
if (pagedresults_is_abandoned_or_notavailable(pb_conn, 1 /*locked*/, pr_idx)) {
@@ -704,7 +706,7 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
/* Previous operation was abandoned and the simplepaged object is not in use. */
send_ldap_result(pb, 0, NULL, "Simple Paged Results Search abandoned", 0, NULL);
rc = LDAP_SUCCESS;
- pthread_mutex_unlock(&(pb_conn->c_mutex));
+ pthread_mutex_unlock(pagedresults_mutex);
goto free_and_return;
} else {
slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_SET, pr_search_result);
@@ -718,7 +720,7 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
pr_stat = PAGEDRESULTS_SEARCH_END;
rc = LDAP_SUCCESS;
}
- pthread_mutex_unlock(&(pb_conn->c_mutex));
+ pthread_mutex_unlock(pagedresults_mutex);
pagedresults_unlock(pb_conn, pr_idx);
if ((PAGEDRESULTS_SEARCH_END == pr_stat) || (0 == pnentries)) {
@@ -843,10 +845,10 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
/* PAGED RESULTS */
if (op_is_pagedresults(operation)) {
/* cleanup the slot */
- pthread_mutex_lock(&(pb_conn->c_mutex));
+ pthread_mutex_lock(pagedresults_mutex);
pagedresults_set_search_result(pb_conn, operation, NULL, 1, pr_idx);
rc = pagedresults_set_current_be(pb_conn, NULL, pr_idx, 1);
- pthread_mutex_unlock(&(pb_conn->c_mutex));
+ pthread_mutex_unlock(pagedresults_mutex);
}
if (1 == flag_no_such_object) {
break;
@@ -887,11 +889,11 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_SET, &sr);
if ((PAGEDRESULTS_SEARCH_END == pr_stat) || (0 == pnentries)) {
/* no more entries, but at least another backend */
- pthread_mutex_lock(&(pb_conn->c_mutex));
+ pthread_mutex_lock(pagedresults_mutex);
pagedresults_set_search_result(pb_conn, operation, NULL, 1, pr_idx);
be->be_search_results_release(&sr);
rc = pagedresults_set_current_be(pb_conn, next_be, pr_idx, 1);
- pthread_mutex_unlock(&(pb_conn->c_mutex));
+ pthread_mutex_unlock(pagedresults_mutex);
pr_stat = PAGEDRESULTS_SEARCH_END; /* make sure stat is SEARCH_END */
if (NULL == next_be) {
/* no more entries && no more backends */
@@ -919,9 +921,9 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
next_be = NULL; /* to break the loop */
if (operation->o_status & SLAPI_OP_STATUS_ABANDONED) {
/* It turned out this search was abandoned. */
- pthread_mutex_lock(&(pb_conn->c_mutex));
+ pthread_mutex_lock(pagedresults_mutex);
pagedresults_free_one_msgid_nolock(pb_conn, operation->o_msgid);
- pthread_mutex_unlock(&(pb_conn->c_mutex));
+ pthread_mutex_unlock(pagedresults_mutex);
/* paged-results-request was abandoned; making an empty cookie. */
pagedresults_set_response_control(pb, 0, estimate, -1, pr_idx);
send_ldap_result(pb, 0, NULL, "Simple Paged Results Search abandoned", 0, NULL);
diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
index 54aa086e8..fc15f6bec 100644
--- a/ldap/servers/slapd/pagedresults.c
+++ b/ldap/servers/slapd/pagedresults.c
@@ -12,6 +12,34 @@
#include "slap.h"
+#define LOCK_HASH_SIZE 997 /* Should be a prime number */
+
+static pthread_mutex_t *lock_hash = NULL;
+
+void
+pageresult_lock_init()
+{
+ lock_hash = (pthread_mutex_t *)slapi_ch_calloc(LOCK_HASH_SIZE, sizeof(pthread_mutex_t));
+ for (size_t i=0; i<LOCK_HASH_SIZE; i++) {
+ pthread_mutex_init(&lock_hash[i], NULL);
+ }
+}
+
+void
+pageresult_lock_cleanup()
+{
+ for (size_t i=0; i<LOCK_HASH_SIZE; i++) {
+ pthread_mutex_destroy(&lock_hash[i]);
+ }
+ slapi_ch_free((void**)&lock_hash);
+}
+
+pthread_mutex_t *
+pageresult_lock_get_addr(Connection *conn)
+{
+ return &lock_hash[(((size_t)conn)/sizeof (Connection))%LOCK_HASH_SIZE];
+}
+
/* helper function to clean up one prp slot */
static void
_pr_cleanup_one_slot(PagedResults *prp)
@@ -98,7 +126,7 @@ pagedresults_parse_control_value(Slapi_PBlock *pb,
return LDAP_UNWILLING_TO_PERFORM;
}
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
/* the ber encoding is no longer needed */
ber_free(ber, 1);
if (cookie.bv_len <= 0) {
@@ -206,7 +234,7 @@ bail:
}
}
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
slapi_log_err(SLAPI_LOG_TRACE, "pagedresults_parse_control_value",
"<= idx %d\n", *index);
@@ -300,7 +328,7 @@ pagedresults_free_one(Connection *conn, Operation *op, int index)
slapi_log_err(SLAPI_LOG_TRACE, "pagedresults_free_one",
"=> idx=%d\n", index);
if (conn && (index > -1)) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (conn->c_pagedresults.prl_count <= 0) {
slapi_log_err(SLAPI_LOG_TRACE, "pagedresults_free_one",
"conn=%" PRIu64 " paged requests list count is %d\n",
@@ -311,7 +339,7 @@ pagedresults_free_one(Connection *conn, Operation *op, int index)
conn->c_pagedresults.prl_count--;
rc = 0;
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
slapi_log_err(SLAPI_LOG_TRACE, "pagedresults_free_one", "<= %d\n", rc);
@@ -319,7 +347,7 @@ pagedresults_free_one(Connection *conn, Operation *op, int index)
}
/*
- * Used for abandoning - conn->c_mutex is already locked in do_abandone.
+ * Used for abandoning - pageresult_lock_get_addr(conn) is already locked in do_abandone.
*/
int
pagedresults_free_one_msgid_nolock(Connection *conn, ber_int_t msgid)
@@ -363,11 +391,11 @@ pagedresults_get_current_be(Connection *conn, int index)
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_get_current_be", "=> idx=%d\n", index);
if (conn && (index > -1)) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
be = conn->c_pagedresults.prl_list[index].pr_current_be;
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_get_current_be", "<= %p\n", be);
@@ -382,13 +410,13 @@ pagedresults_set_current_be(Connection *conn, Slapi_Backend *be, int index, int
"pagedresults_set_current_be", "=> idx=%d\n", index);
if (conn && (index > -1)) {
if (!nolock)
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
conn->c_pagedresults.prl_list[index].pr_current_be = be;
}
rc = 0;
if (!nolock)
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_set_current_be", "<= %d\n", rc);
@@ -407,13 +435,13 @@ pagedresults_get_search_result(Connection *conn, Operation *op, int locked, int
locked ? "locked" : "not locked", index);
if (conn && (index > -1)) {
if (!locked) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
}
if (index < conn->c_pagedresults.prl_maxlen) {
sr = conn->c_pagedresults.prl_list[index].pr_search_result_set;
}
if (!locked) {
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
}
slapi_log_err(SLAPI_LOG_TRACE,
@@ -433,7 +461,7 @@ pagedresults_set_search_result(Connection *conn, Operation *op, void *sr, int lo
index, sr);
if (conn && (index > -1)) {
if (!locked)
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
PagedResults *prp = conn->c_pagedresults.prl_list + index;
if (!(prp->pr_flags & CONN_FLAG_PAGEDRESULTS_ABANDONED) || !sr) {
@@ -443,7 +471,7 @@ pagedresults_set_search_result(Connection *conn, Operation *op, void *sr, int lo
rc = 0;
}
if (!locked)
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_set_search_result", "=> %d\n", rc);
@@ -460,11 +488,11 @@ pagedresults_get_search_result_count(Connection *conn, Operation *op, int index)
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_get_search_result_count", "=> idx=%d\n", index);
if (conn && (index > -1)) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
count = conn->c_pagedresults.prl_list[index].pr_search_result_count;
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_get_search_result_count", "<= %d\n", count);
@@ -481,11 +509,11 @@ pagedresults_set_search_result_count(Connection *conn, Operation *op, int count,
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_set_search_result_count", "=> idx=%d\n", index);
if (conn && (index > -1)) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
conn->c_pagedresults.prl_list[index].pr_search_result_count = count;
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
rc = 0;
}
slapi_log_err(SLAPI_LOG_TRACE,
@@ -506,11 +534,11 @@ pagedresults_get_search_result_set_size_estimate(Connection *conn,
"pagedresults_get_search_result_set_size_estimate",
"=> idx=%d\n", index);
if (conn && (index > -1)) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
count = conn->c_pagedresults.prl_list[index].pr_search_result_set_size_estimate;
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_get_search_result_set_size_estimate", "<= %d\n",
@@ -532,11 +560,11 @@ pagedresults_set_search_result_set_size_estimate(Connection *conn,
"pagedresults_set_search_result_set_size_estimate",
"=> idx=%d\n", index);
if (conn && (index > -1)) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
conn->c_pagedresults.prl_list[index].pr_search_result_set_size_estimate = count;
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
rc = 0;
}
slapi_log_err(SLAPI_LOG_TRACE,
@@ -555,11 +583,11 @@ pagedresults_get_with_sort(Connection *conn, Operation *op, int index)
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_get_with_sort", "=> idx=%d\n", index);
if (conn && (index > -1)) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
flags = conn->c_pagedresults.prl_list[index].pr_flags & CONN_FLAG_PAGEDRESULTS_WITH_SORT;
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_get_with_sort", "<= %d\n", flags);
@@ -576,14 +604,14 @@ pagedresults_set_with_sort(Connection *conn, Operation *op, int flags, int index
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_set_with_sort", "=> idx=%d\n", index);
if (conn && (index > -1)) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
if (flags & OP_FLAG_SERVER_SIDE_SORTING) {
conn->c_pagedresults.prl_list[index].pr_flags |=
CONN_FLAG_PAGEDRESULTS_WITH_SORT;
}
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
rc = 0;
}
slapi_log_err(SLAPI_LOG_TRACE, "pagedresults_set_with_sort", "<= %d\n", rc);
@@ -600,11 +628,11 @@ pagedresults_get_unindexed(Connection *conn, Operation *op, int index)
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_get_unindexed", "=> idx=%d\n", index);
if (conn && (index > -1)) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
flags = conn->c_pagedresults.prl_list[index].pr_flags & CONN_FLAG_PAGEDRESULTS_UNINDEXED;
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_get_unindexed", "<= %d\n", flags);
@@ -621,12 +649,12 @@ pagedresults_set_unindexed(Connection *conn, Operation *op, int index)
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_set_unindexed", "=> idx=%d\n", index);
if (conn && (index > -1)) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
conn->c_pagedresults.prl_list[index].pr_flags |=
CONN_FLAG_PAGEDRESULTS_UNINDEXED;
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
rc = 0;
}
slapi_log_err(SLAPI_LOG_TRACE,
@@ -644,11 +672,11 @@ pagedresults_get_sort_result_code(Connection *conn, Operation *op, int index)
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_get_sort_result_code", "=> idx=%d\n", index);
if (conn && (index > -1)) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
code = conn->c_pagedresults.prl_list[index].pr_sort_result_code;
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_get_sort_result_code", "<= %d\n", code);
@@ -665,11 +693,11 @@ pagedresults_set_sort_result_code(Connection *conn, Operation *op, int code, int
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_set_sort_result_code", "=> idx=%d\n", index);
if (conn && (index > -1)) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
conn->c_pagedresults.prl_list[index].pr_sort_result_code = code;
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
rc = 0;
}
slapi_log_err(SLAPI_LOG_TRACE,
@@ -687,11 +715,11 @@ pagedresults_set_timelimit(Connection *conn, Operation *op, time_t timelimit, in
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_set_timelimit", "=> idx=%d\n", index);
if (conn && (index > -1)) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
slapi_timespec_expire_at(timelimit, &(conn->c_pagedresults.prl_list[index].pr_timelimit_hr));
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
rc = 0;
}
slapi_log_err(SLAPI_LOG_TRACE, "pagedresults_set_timelimit", "<= %d\n", rc);
@@ -746,7 +774,7 @@ pagedresults_cleanup(Connection *conn, int needlock)
}
if (needlock) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
}
for (i = 0; conn->c_pagedresults.prl_list &&
i < conn->c_pagedresults.prl_maxlen;
@@ -765,7 +793,7 @@ pagedresults_cleanup(Connection *conn, int needlock)
}
conn->c_pagedresults.prl_count = 0;
if (needlock) {
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
/* slapi_log_err(SLAPI_LOG_TRACE, "pagedresults_cleanup", "<= %d\n", rc); */
return rc;
@@ -789,7 +817,7 @@ pagedresults_cleanup_all(Connection *conn, int needlock)
}
if (needlock) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
}
for (i = 0; conn->c_pagedresults.prl_list &&
i < conn->c_pagedresults.prl_maxlen;
@@ -809,7 +837,7 @@ pagedresults_cleanup_all(Connection *conn, int needlock)
conn->c_pagedresults.prl_maxlen = 0;
conn->c_pagedresults.prl_count = 0;
if (needlock) {
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
return rc;
}
@@ -827,7 +855,7 @@ pagedresults_check_or_set_processing(Connection *conn, int index)
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_check_or_set_processing", "=>\n", index);
if (conn && (index > -1)) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
ret = (conn->c_pagedresults.prl_list[index].pr_flags &
CONN_FLAG_PAGEDRESULTS_PROCESSING);
@@ -835,7 +863,7 @@ pagedresults_check_or_set_processing(Connection *conn, int index)
conn->c_pagedresults.prl_list[index].pr_flags |=
CONN_FLAG_PAGEDRESULTS_PROCESSING;
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_check_or_set_processing", "<= %d\n", ret);
@@ -854,7 +882,7 @@ pagedresults_reset_processing(Connection *conn, int index)
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_reset_processing", "=> idx=%d\n", index);
if (conn && (index > -1)) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
ret = (conn->c_pagedresults.prl_list[index].pr_flags &
CONN_FLAG_PAGEDRESULTS_PROCESSING);
@@ -862,7 +890,7 @@ pagedresults_reset_processing(Connection *conn, int index)
conn->c_pagedresults.prl_list[index].pr_flags &=
~CONN_FLAG_PAGEDRESULTS_PROCESSING;
}
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
slapi_log_err(SLAPI_LOG_TRACE,
"pagedresults_reset_processing", "<= %d\n", ret);
@@ -881,7 +909,7 @@ pagedresults_reset_processing(Connection *conn, int index)
* Do not return timed out here. But let the next request take care the
* timedout slot(s).
*
- * must be called within conn->c_mutex
+ * must be called within pageresult_lock_get_addr(conn)
*/
int
pagedresults_is_timedout_nolock(Connection *conn)
@@ -908,7 +936,7 @@ pagedresults_is_timedout_nolock(Connection *conn)
/*
* reset all timeout
- * must be called within conn->c_mutex
+ * must be called within pageresult_lock_get_addr(conn)
*/
int
pagedresults_reset_timedout_nolock(Connection *conn)
@@ -973,9 +1001,9 @@ pagedresults_lock(Connection *conn, int index)
if (!conn || (index < 0) || (index >= conn->c_pagedresults.prl_maxlen)) {
return;
}
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
prp = conn->c_pagedresults.prl_list + index;
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
if (prp->pr_mutex) {
PR_Lock(prp->pr_mutex);
}
@@ -989,9 +1017,9 @@ pagedresults_unlock(Connection *conn, int index)
if (!conn || (index < 0) || (index >= conn->c_pagedresults.prl_maxlen)) {
return;
}
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
prp = conn->c_pagedresults.prl_list + index;
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
if (prp->pr_mutex) {
PR_Unlock(prp->pr_mutex);
}
@@ -1006,11 +1034,11 @@ pagedresults_is_abandoned_or_notavailable(Connection *conn, int locked, int inde
return 1; /* not abandoned, but do not want to proceed paged results op. */
}
if (!locked) {
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
}
prp = conn->c_pagedresults.prl_list + index;
if (!locked) {
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
return prp->pr_flags & CONN_FLAG_PAGEDRESULTS_ABANDONED;
}
@@ -1035,13 +1063,13 @@ pagedresults_set_search_result_pb(Slapi_PBlock *pb, void *sr, int locked)
"pagedresults_set_search_result_pb", "=> idx=%d, sr=%p\n", index, sr);
if (conn && (index > -1)) {
if (!locked)
- pthread_mutex_lock(&(conn->c_mutex));
+ pthread_mutex_lock(pageresult_lock_get_addr(conn));
if (index < conn->c_pagedresults.prl_maxlen) {
conn->c_pagedresults.prl_list[index].pr_search_result_set = sr;
rc = 0;
}
if (!locked) {
- pthread_mutex_unlock(&(conn->c_mutex));
+ pthread_mutex_unlock(pageresult_lock_get_addr(conn));
}
}
slapi_log_err(SLAPI_LOG_TRACE,
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index e8d3aaccd..43abc033f 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -1582,6 +1582,9 @@ int slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt, int s
/*
* pagedresults.c
*/
+void pageresult_lock_init();
+void pageresult_lock_cleanup();
+pthread_mutex_t *pageresult_lock_get_addr(Connection *conn);
int pagedresults_parse_control_value(Slapi_PBlock *pb, struct berval *psbvp, ber_int_t *pagesize, int *index, Slapi_Backend *be);
void pagedresults_set_response_control(Slapi_PBlock *pb, int iscritical, ber_int_t estimate, int curr_search_count, int index);
Slapi_Backend *pagedresults_get_current_be(Connection *conn, int index);
--
2.41.0

13
389-ds-base.spec
View File

@ -47,7 +47,7 @@ ExcludeArch: i686
Summary: 389 Directory Server (base)
Name: 389-ds-base
Version: 2.3.4
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv3+ and ASL 2.0 and MIT
URL: https://www.port389.org
Conflicts: selinux-policy-base < 3.9.8
@ -296,7 +296,10 @@ Source2: %{name}-devel.README
Source3: https://github.com/jemalloc/%{jemalloc_name}/releases/download/%{jemalloc_ver}/%{jemalloc_name}-%{jemalloc_ver}.tar.bz2
%endif
Source4: 389-ds-base.sysusers
Patch01: 0001-Issue-5722-RFE-When-a-filter-contains-nsrole-improve.patch
Patch02: 0002-Issue-5156-RFE-that-implement-slapi_memberof-5694.patch
Patch03: 0003-Issue-5551-Almost-empty-and-not-loaded-ns-slapd-high.patch
Patch04: 0004-Issue-4551-Paged-search-impacts-performance-5838.patch
%description
389 Directory Server is an LDAPv3 compliant server. The base package includes
@ -738,6 +741,12 @@ exit 0
%endif
%changelog
* Mon Jul 24 2023 Mark Reynolds <mreynolds@redhat.com> - 2.3.4-3
- Bump version to 2.3.4-3
- Resolves: rhbz#2189954 - RFE Improve reponse time to filters containing 'nsrole'
- Resolves: rhbz#2189946 - RFE support of slapi_memberof for plugins/core server
- Resolves: rhbz#1974242 - Paged search impacts performance
* Fri May 19 2023 Mark Reynolds <mreynolds@redhat.com> - 2.3.4-2
- Bump version to 2.3.4-2
- Resolves: rhbz#2188627 - Fix license