From 8a5dc1b375db94c4e722fa725f48eb16d032f1aa Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 3 Apr 2019 18:07:43 +0200 Subject: [PATCH] Adapt cert-find performance workaround for users ipa cert-find --users=NAME was slow on system with lots of certificates. User certificates have CN=$username, therefore the performance tweak from ticket 7835 also works for user certificates. Related: https://pagure.io/freeipa/issue/7835 Fixes: https://pagure.io/freeipa/issue/7901 Signed-off-by: Christian Heimes Reviewed-By: Fraser Tweedale --- ipaserver/plugins/cert.py | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 680dbecf1..6e67bb521 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -1643,21 +1643,26 @@ class cert_find(Search, CertMethod): result = collections.OrderedDict() complete = bool(ra_options) - # workaround for RHBZ#1669012 - # Improve performance for service and host case by also searching - # for subject. This limits the amount of certificate retrieved from - # Dogtag. The special case is only used, when no ra_options are set - # and exactly one service or host is supplied. - # The complete flag is left to False. + # workaround for RHBZ#1669012 and RHBZ#1695685 + # Improve performance for service, host and user case by also + # searching for subject. This limits the amount of certificate + # retrieved from Dogtag. The special case is only used, when + # no ra_options are set and exactly one service, host, or user is + # supplied. + # IPA enforces that subject CN is either a hostname or a username. + # The complete flag is left to False to catch overrides. if not ra_options: services = options.get('service', ()) hosts = options.get('host', ()) - if len(services) == 1 and not hosts: - principal = kerberos.Principal(options['service'][0]) + users = options.get('user', ()) + if len(services) == 1 and not hosts and not users: + principal = kerberos.Principal(services[0]) if principal.is_service: ra_options['subject'] = principal.hostname - elif len(hosts) == 1 and not services: - ra_options['subject'] = options['host'][0] + elif len(hosts) == 1 and not services and not users: + ra_options['subject'] = hosts[0] + elif len(users) == 1 and not services and not hosts: + ra_options['subject'] = users[0] try: ca_enabled_check(self.api)