Blame SOURCES/0008-krb5-Do-not-use-unindexed-objectCategory-in-a-search.patch

841ac7
From e4dd2843a4a302ababd3ccedfbf23832244a1655 Mon Sep 17 00:00:00 2001
841ac7
From: Jakub Hrozek <jhrozek@redhat.com>
841ac7
Date: Sat, 23 Mar 2019 21:53:05 +0100
841ac7
Subject: [PATCH] krb5: Do not use unindexed objectCategory in a search filter
841ac7
841ac7
Related:
841ac7
https://pagure.io/SSSD/sssd/issue/3968
841ac7
841ac7
Since we switched to using objectcategory instead of objectclass for
841ac7
users and groups, the objectCategory attribute is also not indexed. This
841ac7
means that searches using this attribute must traverse the whole
841ac7
database which can be very slow.
841ac7
841ac7
This patch uses the cn=users container instead of the full sysdb
841ac7
container as the search base which is more or less equivalent to using
841ac7
objectCategory=user anyway.
841ac7
841ac7
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
841ac7
(cherry picked from commit e474c2dd305db654b42f2a123a6f60d12d7978c5)
841ac7
---
841ac7
 src/providers/krb5/krb5_renew_tgt.c | 4 ++--
841ac7
 1 file changed, 2 insertions(+), 2 deletions(-)
841ac7
841ac7
diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c
841ac7
index 549c08c6f..c7e2bd91f 100644
841ac7
--- a/src/providers/krb5/krb5_renew_tgt.c
841ac7
+++ b/src/providers/krb5/krb5_renew_tgt.c
841ac7
@@ -385,7 +385,7 @@ static errno_t check_ccache_files(struct renew_tgt_ctx *renew_tgt_ctx)
841ac7
 {
841ac7
     TALLOC_CTX *tmp_ctx;
841ac7
     int ret;
841ac7
-    const char *ccache_filter = "(&("SYSDB_CCACHE_FILE"=*)("SYSDB_UC"))";
841ac7
+    const char *ccache_filter = SYSDB_CCACHE_FILE"=*";
841ac7
     const char *ccache_attrs[] = { SYSDB_CCACHE_FILE, SYSDB_UPN, SYSDB_NAME,
841ac7
                                    SYSDB_CANONICAL_UPN, NULL };
841ac7
     size_t msgs_count = 0;
841ac7
@@ -403,7 +403,7 @@ static errno_t check_ccache_files(struct renew_tgt_ctx *renew_tgt_ctx)
841ac7
         return ENOMEM;
841ac7
     }
841ac7
 
841ac7
-    base_dn = sysdb_base_dn(renew_tgt_ctx->be_ctx->domain->sysdb, tmp_ctx);
841ac7
+    base_dn = sysdb_user_base_dn(tmp_ctx, renew_tgt_ctx->be_ctx->domain);
841ac7
     if (base_dn == NULL) {
841ac7
         DEBUG(SSSDBG_OP_FAILURE, "sysdb_base_dn failed.\n");
841ac7
         ret = ENOMEM;
841ac7
-- 
841ac7
2.19.1
841ac7