User find-fin performs for each user:
self.obj.get_password_attributes(ldap, dn, entry_attrs) convert_sshpubkey_post(ldap, dn, entry_attrs)
It results in for each user:
[02/Sep/2015:18:52:07 +0200] conn=7481 op=7 SRCH base="uid=admin,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=0 filter="(userPassword=*)" attrs="userPassword" [02/Sep/2015:18:52:07 +0200] conn=7481 op=7 RESULT err=0 tag=101 nentries=1 etime=0 [02/Sep/2015:18:52:07 +0200] conn=7481 op=8 SRCH base="cn=ipaconfig,cn=etc,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [02/Sep/2015:18:52:07 +0200] conn=7481 op=8 RESULT err=0 tag=101 nentries=1 etime=0 [02/Sep/2015:18:52:07 +0200] conn=7481 op=9 SRCH base="uid=admin,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=0 filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey" [02/Sep/2015:18:52:07 +0200] conn=7481 op=9 RESULT err=0 tag=101 nentries=1 etime=0 [02/Sep/2015:18:52:07 +0200] conn=7481 op=10 SRCH base="cn=ipaconfig,cn=etc,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [02/Sep/2015:18:52:07 +0200] conn=7481 op=10 RESULT err=0 tag=101 nentries=1 etime=0 [02/Sep/2015:18:52:07 +0200] conn=7481 op=11 SRCH base="uid=admin,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaSshPubKey"
If somebody increases a search size limit to e.g. 1000. It can lead to unnecessary 3000 searches.
Either add: userPassword, krbPrincipalKey, ipaSshPubKey to search attr list or don't do operations listed above.
the second operation is also track in #3376
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1268449 (Red Hat Enterprise Linux 7)
It is not possible to add userPassword, krbPrincipalKey to search attribute list because they are derived by doing presence check search.
ipaSshPubKey is ticket #3376
master:
Metadata Update from @pvoborni: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.4
Login to comment on this ticket.