From e4dd2843a4a302ababd3ccedfbf23832244a1655 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Sat, 23 Mar 2019 21:53:05 +0100 Subject: [PATCH] krb5: Do not use unindexed objectCategory in a search filter Related: https://pagure.io/SSSD/sssd/issue/3968 Since we switched to using objectcategory instead of objectclass for users and groups, the objectCategory attribute is also not indexed. This means that searches using this attribute must traverse the whole database which can be very slow. This patch uses the cn=users container instead of the full sysdb container as the search base which is more or less equivalent to using objectCategory=user anyway. Reviewed-by: Alexey Tikhonov (cherry picked from commit e474c2dd305db654b42f2a123a6f60d12d7978c5) --- src/providers/krb5/krb5_renew_tgt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c index 549c08c6f..c7e2bd91f 100644 --- a/src/providers/krb5/krb5_renew_tgt.c +++ b/src/providers/krb5/krb5_renew_tgt.c @@ -385,7 +385,7 @@ static errno_t check_ccache_files(struct renew_tgt_ctx *renew_tgt_ctx) { TALLOC_CTX *tmp_ctx; int ret; - const char *ccache_filter = "(&("SYSDB_CCACHE_FILE"=*)("SYSDB_UC"))"; + const char *ccache_filter = SYSDB_CCACHE_FILE"=*"; const char *ccache_attrs[] = { SYSDB_CCACHE_FILE, SYSDB_UPN, SYSDB_NAME, SYSDB_CANONICAL_UPN, NULL }; size_t msgs_count = 0; @@ -403,7 +403,7 @@ static errno_t check_ccache_files(struct renew_tgt_ctx *renew_tgt_ctx) return ENOMEM; } - base_dn = sysdb_base_dn(renew_tgt_ctx->be_ctx->domain->sysdb, tmp_ctx); + base_dn = sysdb_user_base_dn(tmp_ctx, renew_tgt_ctx->be_ctx->domain); if (base_dn == NULL) { DEBUG(SSSDBG_OP_FAILURE, "sysdb_base_dn failed.\n"); ret = ENOMEM; -- 2.19.1