#3507 Long search filters are created during IPA sudo command + command group retrieval
Closed: Fixed 2 years ago Opened 2 years ago by jstephen.

In large IPA environments where a high number of sudo commands and command groups are used, retrieval of sudo data can lead to SSSD constructing an overly large search filter which is not handled well on the ns-slapd side.

[sssd[be[example.com]]] [ipa_sudo_fetch_cmds] (0x0400): About to fetch sudo commands
[sssd[be[example.com]]] [sdap_search_bases_ex_next_base] (0x0400): Issuing LDAP lookup with base [cn=sudo,dc=example,dc=com]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipasudocmd)(|(ipaUniqueID=5cbdcd46-25b4-11e7-848f-005056903d23)(ipaUniqueID=3196e868-cc10-11e5-910c-005056af6b59)(ipaUniqueID=3b73dd06-719c-11e5-a20d-005056af6c53)(ipaUniqueID=f88b04be-719c-11e5-8589-005056af6c53)(ipaUniqueID=609e4a12-719c-11e5-bfe7-005056af6c53)(ipaUniqueID=a24a0712-719c-11e5-bfe7-005056af6c53)(ipaUniqueID=c8dcdef4-719c-11e5-9013-005056af6c53)(ipaUniqueID=b6374b40-719c-11e5-b580-005056af6c53)(ipaUniqueID=5e1e137a-719d-11e5-9491-005056af6c53)(ipaUniqueID=f1a3814e-719c-11e5-88b1-005056af6c53)(ipaUniqueID=08da87aa-719c-11e5-9013-005056af6c53)(ipaUniqueID=98a2b064-719d-11e5-84e8-005056af6c53)(ipaUniqueID=99a7efb0-719d-11e5-bd5c-005056af6c53)(ipaUniqueID=1cd4519c-016f-11e6-9238-005056905903)(ipaUniqueID=86e0e5ae-719c-11e5-b298-005056af6c53)(ipaUniqueID=403bb138-719c-11e5-9538-005056af6c53)(ipaUniqueID=ebfa80e2-ccd3-11e6-aac6-005056b8755d)(ipaUniqueID=a7e19a40-719d-11e5-a20d-005056af6c53)

...

and so on for every IPA sudo command applicable to the host


Metadata Update from @jstephen:
- Issue assigned to jstephen

2 years ago

Metadata Update from @jstephen:
- Custom field rhbz adjusted to 1486786

2 years ago

Metadata Update from @jstephen:
- Issue tagged with: PR

2 years ago

I might be wrong but is it a duplicate of https://pagure.io/SSSD/sssd/issue/3478?

@lslebodn very similar but this issue relates to sudo commands and command groups in the IPA provider, not rules retrieved in the sudo rules refresh code.

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to 1486786, https://bugzilla.redhat.com/show_bug.cgi?id=1486786 (was: 1486786)

2 years ago

temporarily filing into 1.16.0 because I don't want to grow the 1.15.x milestone even more. But of course if the PR is reviewed sooner (and pbrezina should be on it) than 1.15.4 is released, I'll move the ticekt.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.0

2 years ago

Metadata Update from @jhrozek:
- Issue priority set to: major

2 years ago

Metadata Update from @lslebodn:
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 1.15.4 (was: SSSD 1.16.0)
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.0 (was: SSSD 1.15.4)

2 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4533

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata