URL: https://github.com/freeipa/freeipa/pull/359
Title: #359: dogtag: search past the first 100 certificates

frasertweedale commented:
@tomaskrizek @HonzaCholasta it looks like the problem is:

1. subsearches are conducted in order:
    1. `_cert_search` (if `'certificate' in options` add key to result and 
"seal" it)
    2. `_ca_search` (actually perform the search against Dogtag, via `ra.find`)
    3. `_ldap_search` (look for local entries that have given cert in their 
`userCertificate` attr.

2. if no explicit `sizelimit` is requested, and if there are > 100 entries with 
`(userCertificate=*)`, `_ldap_search` will be truncated, and this result is 
carried across to the final result.  The cert search from Dogtag is not 
truncated, but the search for entries to use to filter the result may have been 

The simplest way to resolve this is (I think) to forcibly execute 
`_ldap_search` with `sizelimit=0`.

IMO `_ldap_search` should also be avoided or short-circuited if none of the 
owner-flitering options to `cert-find` are given.  (edit to note: this will not 
find certs that are in IPA LDAP but not in Dogtag, which is guess is the wrong 
behaviour..? So I think we just have to have sizelimit=0.  I am concerned about 
performance impact of cert-find with many principals with certs set... but that 
is a separate issue).

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to