Issue #1449: pki cert-find could be time consuming: add VLV index for new installations - dogtagpki

dogtagpki

#1449 pki cert-find could be time consuming: add VLV index for new installations

Closed: Fixed None Opened 8 years ago by mharmsen.

"ipa cert-find" and "pki cert-find" commands with no additional parameters could be very time consuming if there are too many certificates.

The problem is that the query the commands are doing to the dirsrv instance is not matching any exisiting vlvindex. So, the query is unindexed.

Steps to Reproduce:

do "pki cert-find" and see the access logs. We should find something like:

[09/Jun/2015:16:05:09 +0200] conn=7 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[09/Jun/2015:16:05:09 +0200] conn=7 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=example,dc=org"
[09/Jun/2015:16:05:09 +0200] conn=7 op=3 SRCH base="cn=ipaconfig,cn=etc,dc=example,dc=org" scope=0 filter="(objectClass=*)" attrs=ALL
[09/Jun/2015:16:05:09 +0200] conn=7 op=3 RESULT err=0 tag=101 nentries=1 etime=0
[09/Jun/2015:16:05:09 +0200] conn=7 op=4 SRCH base="cn=masters,cn=ipa,cn=etc,dc=example,dc=org" scope=2 filter="(&(objectClass=ipaConfigObject)(cn=CA))" attrs=ALL
[09/Jun/2015:16:05:09 +0200] conn=7 op=4 RESULT err=0 tag=101 nentries=2 etime=0
[09/Jun/2015:16:05:09 +0200] conn=3 op=7 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(&(serialno=*))" attrs=ALL
[09/Jun/2015:16:05:09 +0200] conn=3 op=7 SORT serialno (14)
[09/Jun/2015:16:05:09 +0200] conn=3 op=7 VLV 0:10:A 14:14 (0)
[09/Jun/2015:16:05:09 +0200] conn=3 op=7 RESULT err=0 tag=101 nentries=1 etime=0 notes=U
[09/Jun/2015:16:05:09 +0200] conn=3 op=8 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(&(serialno=*))" attrs=ALL
[09/Jun/2015:16:05:09 +0200] conn=3 op=8 SORT serialno (14)
[09/Jun/2015:16:05:09 +0200] conn=3 op=8 VLV 0:10:0:14 1:14 (0)
[09/Jun/2015:16:05:09 +0200] conn=3 op=8 RESULT err=0 tag=101 nentries=11 etime=0 notes=U
[09/Jun/2015:16:05:10 +0200] conn=3 op=9 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(&(serialno=*))" attrs=ALL
[09/Jun/2015:16:05:10 +0200] conn=3 op=9 SORT serialno (14)
[09/Jun/2015:16:05:10 +0200] conn=3 op=9 VLV 0:10:10:14 11:14 (0)
[09/Jun/2015:16:05:10 +0200] conn=3 op=9 RESULT err=0 tag=101 nentries=4 etime=1 notes=U
[09/Jun/2015:16:05:10 +0200] conn=7 op=5 UNBIND
[09/Jun/2015:16:05:10 +0200] conn=7 op=5 fd=92 closed - U1

all the searches showing "notes=U"

The query 

base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(&(serialno=*))"

is not matching any vlvindex.

Additional info:

Workaround is to add a new vlvindex like this:

---------------------------------------------------------
dn: cn=allCertsSerial-pki-tomcat,cn=ipaca,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: vlvSearch
vlvFilter: (&(serialno=*))
vlvScope: 1
vlvBase: ou=certificateRepository,ou=ca,o=ipaca
cn: allCertsSerial-pki-tomcat
numSubordinates: 1

dn: cn=allCertsSerial-pki-tomcatIndex,cn=allCertsSerial-pki-tomcat,cn=ipaca,cn=ldbm database,cn=plugins,cn=config
vlvUses: 0
vlvEnabled: 0
vlvSort: serialno
objectClass: top
objectClass: vlvIndex
cn: allCertsSerial-pki-tomcatIndex
-------------------------------------------------------------

+ apply it:


/var/lib/dirsrv/scripts-EXAMPLE-ORG/vlvindex -n ipaca -T  allCertsSerial-pki-tomcatIndex

edewata commented 8 years ago

Alternatively the pki cert-find command can be modified to match an existing VLV:

dn: cn=allCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config
objectClass: top
objectClass: vlvSearch
cn: allCerts-{instanceId}
vlvBase: ou=certificateRepository,ou=ca,{rootSuffix}
vlvScope: 1
vlvFilter: (certstatus=*)

edewata commented 8 years ago

Fixed in master: ac5447a8e0bac5112882be700a17a9274e322adc

Metadata Update from @mharmsen:
- Issue assigned to edewata
- Issue set to the milestone: 10.2.6

7 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2009

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

edewata

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

10.2.6

lowhangingfruit

None

reporter

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1229764

type

defect

version

None

keywords

None

estimate

None

feature

None

origin

IPA

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

Tools

proposedmilestone

None

dogtagpki

Source Code

#1449 pki cert-find could be time consuming: add VLV index for new installations Closed: Fixed None Opened 8 years ago by mharmsen.

Metadata

#1449 pki cert-find could be time consuming: add VLV index for new installations

Closed: Fixed None Opened 8 years ago by mharmsen.