From e4dd2843a4a302ababd3ccedfbf23832244a1655 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Sat, 23 Mar 2019 21:53:05 +0100

Subject: [PATCH] krb5: Do not use unindexed objectCategory in a search filter

Related:

https://pagure.io/SSSD/sssd/issue/3968

Since we switched to using objectcategory instead of objectclass for

users and groups, the objectCategory attribute is also not indexed. This

means that searches using this attribute must traverse the whole

database which can be very slow.

This patch uses the cn=users container instead of the full sysdb

container as the search base which is more or less equivalent to using

objectCategory=user anyway.

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

(cherry picked from commit e474c2dd305db654b42f2a123a6f60d12d7978c5)

---

 src/providers/krb5/krb5_renew_tgt.c | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c

index 549c08c6f..c7e2bd91f 100644

--- a/src/providers/krb5/krb5_renew_tgt.c

+++ b/src/providers/krb5/krb5_renew_tgt.c

@@ -385,7 +385,7 @@ static errno_t check_ccache_files(struct renew_tgt_ctx *renew_tgt_ctx)

 {

     TALLOC_CTX *tmp_ctx;

     int ret;

-    const char *ccache_filter = "(&("SYSDB_CCACHE_FILE"=*)("SYSDB_UC"))";

+    const char *ccache_filter = SYSDB_CCACHE_FILE"=*";

     const char *ccache_attrs[] = { SYSDB_CCACHE_FILE, SYSDB_UPN, SYSDB_NAME,

                                    SYSDB_CANONICAL_UPN, NULL };

     size_t msgs_count = 0;

@@ -403,7 +403,7 @@ static errno_t check_ccache_files(struct renew_tgt_ctx *renew_tgt_ctx)

         return ENOMEM;

     }

-    base_dn = sysdb_base_dn(renew_tgt_ctx->be_ctx->domain->sysdb, tmp_ctx);

+    base_dn = sysdb_user_base_dn(tmp_ctx, renew_tgt_ctx->be_ctx->domain);

     if (base_dn == NULL) {

         DEBUG(SSSDBG_OP_FAILURE, "sysdb_base_dn failed.\n");

         ret = ENOMEM;

-- 

2.19.1