URL: https://github.com/freeipa/freeipa/pull/359
Title: #359: dogtag: search past the first 100 certificates
frasertweedale commented:
"""
@tomaskrizek @HonzaCholasta it looks like the problem is:
1. subsearches are conducted in order:
1. `_cert_search` (if `'certificate' in options` add key to result and
"seal" it)
2. `_ca_search` (actually perform the search against Dogtag, via `ra.find`)
3. `_ldap_search` (look for local entries that have given cert in their
`userCertificate` attr.
2. if no explicit `sizelimit` is requested, and if there are > 100 entries with
`(userCertificate=*)`, `_ldap_search` will be truncated, and this result is
carried across to the final result. The cert search from Dogtag is not
truncated, but the search for entries to use to filter the result may have been
truncated.
The simplest way to resolve this is (I think) to forcibly execute
`_ldap_search` with `sizelimit=0`.
IMO `_ldap_search` should also be avoided or short-circuited if none of the
owner-flitering options to `cert-find` are given. (edit to note: this will not
find certs that are in IPA LDAP but not in Dogtag, which is guess is the wrong
behaviour..? So I think we just have to have sizelimit=0. I am concerned about
performance impact of cert-find with many principals with certs set... but that
is a separate issue).
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/359#issuecomment-270283124
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
