URL: https://github.com/freeipa/freeipa/pull/359
Title: #359: dogtag: search past the first 100 certificates

frasertweedale commented:
@tomaskrizek @HonzaCholasta it looks like the problem is:

1. subsearches are conducted in order:
    1. `_cert_search` (if `'certificate' in options` add key to result and 
"seal" it)
    2. `_ca_search` (actually perform the search against Dogtag, via `ra.find`)
    3. `_ldap_search` (look for local entries that have given cert in their 
`userCertificate` attr.

2. Due to raising of search limit internally within `ra.find`, for this 
sub-search, `sub_complete = True` always.

3. ~line 1477:

    if sub_complete:
        sizelimit = None
    This causes the next sub-search (`_ldap_search`) to be carried out with the 
*default* size limit (100).

4. If there are > 100 entries with the `(userCertificate=*)`, this search will 
be truncated, and this result is carried across to the final result.  The cert 
search from Dogtag is not truncated, but the search for entries to use to 
filter the result may have been truncated.

The simplest way to resolve this is (I think) to forcibly execute 
`_ldap_search` with `sizelimit=0`.
IMO `_ldap_search` should also be avoided or short-circuited if none of the 
owner-flitering options to `cert-find` are given.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to