From 031d08b13cec4c6c538a9c344576d349481ceeea Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspacek@redhat.com>
Date: Thu, 23 Jan 2014 12:22:38 +0100
Subject: [PATCH 7/9] Limit memberOf and refInt DS plugins to main IPA suffix.

This drastically improves performance of retro changelog trimming.

https://fedorahosted.org/freeipa/ticket/3967
---
 freeipa.spec.in                    |  6 +++---
 install/updates/20-syncrepl.update | 13 ++++++++++++-
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 4f60be6ccd623de4574c7627e0ffc4ff0829e701..ef96c7c271ebba33b15d9b35891092e4151c3aae 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -21,7 +21,7 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.1.3
+BuildRequires:  389-ds-base-devel >= 1.3.2.10
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
 BuildRequires:  systemd-units
@@ -95,7 +95,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.1.3
+Requires: 389-ds-base >= 1.3.2.10
 Requires: openldap-clients > 2.4.35-4
 %if 0%{?fedora} == 18
 Requires: nss >= 3.14.3-2
@@ -150,7 +150,7 @@ Requires: zip
 Requires: policycoreutils >= %{POLICYCOREUTILSVER}
 Requires: tar
 Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.1.3
+Requires(pre): 389-ds-base >= 1.3.2.10
 
 # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
 # entire SELinux policy is stored in the system policy
diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
index c4158a1634410acd323f04f442bbbd2f69c24708..e1184bf48285fb216dfb0c82e5e97bb8cc35539c 100644
--- a/install/updates/20-syncrepl.update
+++ b/install/updates/20-syncrepl.update
@@ -1,9 +1,20 @@
-# Enable Retro changelog
+# Enable Retro changelog - it is necessary for SyncRepl
 dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
 only:nsslapd-pluginEnabled: on
+# Remember original nsuniqueid for objects referenced from cn=changelog
 add:nsslapd-attribute: nsuniqueid:targetUniqueId
 add:nsslapd-changelogmaxage: 2d
 
+# Keep memberOf and referential integrity plugins away from cn=changelog.
+# It is necessary for performance reasons because we don't have appropriate
+# indices for cn=changelog.
+dn: cn=MemberOf Plugin,cn=plugins,cn=config
+add:memberofentryscope: '$SUFFIX'
+
+dn: cn=referential integrity postoperation,cn=plugins,cn=config
+add:nsslapd-plugincontainerscope: '$SUFFIX'
+add:nsslapd-pluginentryscope: '$SUFFIX'
+
 # Enable SyncRepl
 dn: cn=Content Synchronization,cn=plugins,cn=config
 only:nsslapd-pluginEnabled: on
-- 
1.8.5.3