#3507 Long search filters are created during IPA sudo command + command group retrieval
Closed: Fixed 2 years ago Opened 2 years ago by jstephen.

In large IPA environments where a high number of sudo commands and command groups are used, retrieval of sudo data can lead to SSSD constructing an overly large search filter which is not handled well on the ns-slapd side.

[sssd[be[example.com]]] [ipa_sudo_fetch_cmds] (0x0400): About to fetch sudo commands
[sssd[be[example.com]]] [sdap_search_bases_ex_next_base] (0x0400): Issuing LDAP lookup with base [cn=sudo,dc=example,dc=com]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipasudocmd)(|(ipaUniqueID=5cbdcd46-25b4-11e7-848f-005056903d23)(ipaUniqueID=3196e868-cc10-11e5-910c-005056af6b59)(ipaUniqueID=3b73dd06-719c-11e5-a20d-005056af6c53)(ipaUniqueID=f88b04be-719c-11e5-8589-005056af6c53)(ipaUniqueID=609e4a12-719c-11e5-bfe7-005056af6c53)(ipaUniqueID=a24a0712-719c-11e5-bfe7-005056af6c53)(ipaUniqueID=c8dcdef4-719c-11e5-9013-005056af6c53)(ipaUniqueID=b6374b40-719c-11e5-b580-005056af6c53)(ipaUniqueID=5e1e137a-719d-11e5-9491-005056af6c53)(ipaUniqueID=f1a3814e-719c-11e5-88b1-005056af6c53)(ipaUniqueID=08da87aa-719c-11e5-9013-005056af6c53)(ipaUniqueID=98a2b064-719d-11e5-84e8-005056af6c53)(ipaUniqueID=99a7efb0-719d-11e5-bd5c-005056af6c53)(ipaUniqueID=1cd4519c-016f-11e6-9238-005056905903)(ipaUniqueID=86e0e5ae-719c-11e5-b298-005056af6c53)(ipaUniqueID=403bb138-719c-11e5-9538-005056af6c53)(ipaUniqueID=ebfa80e2-ccd3-11e6-aac6-005056b8755d)(ipaUniqueID=a7e19a40-719d-11e5-a20d-005056af6c53)

...

and so on for every IPA sudo command applicable to the host


Metadata Update from @jstephen:
- Issue assigned to jstephen

2 years ago

Metadata Update from @jstephen:
- Custom field rhbz adjusted to 1486786

2 years ago

Metadata Update from @jstephen:
- Issue tagged with: PR

2 years ago

I might be wrong but is it a duplicate of https://pagure.io/SSSD/sssd/issue/3478?

@lslebodn very similar but this issue relates to sudo commands and command groups in the IPA provider, not rules retrieved in the sudo rules refresh code.

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to 1486786, https://bugzilla.redhat.com/show_bug.cgi?id=1486786 (was: 1486786)

2 years ago

temporarily filing into 1.16.0 because I don't want to grow the 1.15.x milestone even more. But of course if the PR is reviewed sooner (and pbrezina should be on it) than 1.15.4 is released, I'll move the ticekt.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.0

2 years ago

Metadata Update from @jhrozek:
- Issue priority set to: major

2 years ago

Metadata Update from @lslebodn:
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 1.15.4 (was: SSSD 1.16.0)
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.0 (was: SSSD 1.15.4)

2 years ago

Login to comment on this ticket.

Metadata