#7933 FreeIPA must index certmap attributes.
Closed: fixed a month ago by abbra. Opened 3 months ago by firstyear.

Issue

During an investigation into filter optimisation in 389DS it was discovered that two attributes of the certmap query are unindexed. Due to the nature of LDAP filters, if any member of an OR query is unindexed, the entire OR becomes unindexed.

As a result this query is effectively:

(&
    (|
        (usercertificate;binary=)
        (ipaCertMapData=X509:<I>O=DEV.BLACKHATS.NET.AU,CN=Certificate Authority<S>O=DEV.BLACKHATS.NET.AU,CN=ipauser1)
        (altsecurityidentities=X509:<I>O=DEV.BLACKHATS.NET.AU,CN=Certificate Authority<S>O=DEV.BLACKHATS.NET.AU,CN=ipauser1)
    )
    (objectClass=posixAccount)
    (uid=*)
    (&
        (uidNumber=*)
        (!
            (uidNumber=0)
        )
    )
)

EFFECTIVE:

(&
    (objectClass=*)
    (objectClass=posixAccount)
    (uid=*)
    (&
        (uidNumber=*)
        (!
            (uidNumber=0)
        )
    )
)

This is then basically a full-table scan, which applies the filter test to the contained members.

The two attributes in question are ipaCertMapData and altsecurityidentities.

For reference, see:

https://pagure.io/freeipa/issue/7932
https://pagure.io/389-ds-base/pull-request/50252#comment-85208


Metadata Update from @pcech:
- Issue tagged with: Falcon

3 months ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/3110

2 months ago

master:

  • 5a83eea Add altSecurityIdentities attribute from MS-WSPP schema definition
  • 7258995 Create indexes for altSecurityIdentities and ipaCertmapData attributes
  • 41ca4d4 certmap rules: altSecurityIdentities should only be used for trusted domains
  • 95c2b34 certmaprule: add negative test for altSecurityIdentities

ipa-4-8:

  • f955145 Add altSecurityIdentities attribute from MS-WSPP schema definition
  • 0841d8b Create indexes for altSecurityIdentities and ipaCertmapData attributes
  • 14ddf7b certmap rules: altSecurityIdentities should only be used for trusted domains
  • 2e37205 certmaprule: add negative test for altSecurityIdentities

ipa-4-7:

  • 9de1287 Add altSecurityIdentities attribute from MS-WSPP schema definition
  • 0c57ce7 Create indexes for altSecurityIdentities and ipaCertmapData attributes
  • bbed1ad certmap rules: altSecurityIdentities should only be used for trusted domains
  • 9f59b3c certmaprule: add negative test for altSecurityIdentities

ipa-4-6:

  • f8fccd5 Add altSecurityIdentities attribute from MS-WSPP schema definition
  • dc81689 Create indexes for altSecurityIdentities and ipaCertmapData attributes
  • 219fb1f certmap rules: altSecurityIdentities should only be used for trusted domains
  • 0cc8ce2 certmaprule: add negative test for altSecurityIdentities

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a month ago

Login to comment on this ticket.

Metadata