URL: https://github.com/freeipa/freeipa/pull/359
Title: #359: dogtag: search past the first 100 certificates

frasertweedale commented:
"""
@tomaskrizek @HonzaCholasta it looks like the problem is:

1. subsearches are conducted in order:
    1. `_cert_search` (if `'certificate' in options` add key to result and 
"seal" it)
    2. `_ca_search` (actually perform the search against Dogtag, via `ra.find`)
    3. `_ldap_search` (look for local entries that have given cert in their 
`userCertificate` attr.

2. Due to raising of search limit internally within `ra.find`, `_ca_search` 
will return `sub_complete = True` always.

3. ~line 1477:

    ```python
    if sub_complete:
        sizelimit = None
        ...
    ```
    This causes the next sub-search (`_ldap_search`) to be carried out with the 
*default* size limit (100).

4. If there are > 100 entries with the `(userCertificate=*)`, this search will 
be truncated, and this result is carried across to the final result.  The cert 
search from Dogtag is not truncated, but the search for entries to use to 
filter the result may have been truncated.

The simplest way to resolve this is (I think) to forcibly execute 
`_ldap_search` with `sizelimit=0`.

IMO `_ldap_search` should also be avoided or short-circuited if none of the 
owner-flitering options to `cert-find` are given.  (edit to note: this will not 
find certs that are in IPA LDAP but not in Dogtag, which is guess is the wrong 
behaviour..? So I think we just have to have sizelimit=0.  I am concerned about 
performance impact of cert-find with many principals with certs set... but that 
is a separate issue).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/359#issuecomment-270283124
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to