-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-7.6
-
None
-
None
-
1
-
rhel-idm-ipa
-
ssg_idm
-
None
-
False
-
False
-
-
None
-
RHEL JIRAS rhel-idm-ipa
-
None
-
None
-
If docs needed, set a value
-
-
All
-
None
-
57,005
Description of problem:
When customer searches for a user via IPA WebUI, it takes really long time to display the user's details. The same user can be queries via CLI, within few seconds.
The ipa cert-find command also takes time to complete, also sometime it fails with error `Unable to communicate with CMS (500)`.
----------------------------------
[root@srvlx40235 ~]# time ipa cert-find --users=p017079 --all
----------------------
0 certificates matched
----------------------
----------------------------
Number of entries returned 0
----------------------------
real 1m6.283s
user 0m0.529s
sys 0m0.095s
[root@srvlx40235 ~]#
----------------------------------
The customer got 125053 entries under `ou=certificateRepository,ou=ca,o=ipaca` when user details displayed on IPA web-UI.
It looks for every single certificates in the database.
[29/Mar/2019:13:26:41.424312347 +0100] conn=265 op=2411 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=*)" attrs=ALL
[29/Mar/2019:13:26:41.447810348 +0100] conn=265 op=2411 SORT serialno
[29/Mar/2019:13:26:41.447824289 +0100] conn=265 op=2411 VLV 0:2147483647:99990:125049 99991:125049 (0)
[29/Mar/2019:13:26:47.409452926 +0100] conn=265 op=2410 RESULT err=4 tag=101 nentries=10000 etime=15.1550448031
[29/Mar/2019:13:26:47.720526716 +0100] conn=265 op=2412 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=*)" attrs=ALL
[29/Mar/2019:13:26:47.813523986 +0100] conn=265 op=2412 SORT serialno
[29/Mar/2019:13:26:47.813541377 +0100] conn=265 op=2412 VLV 0:2147483647:49995:125049 49996:125049 (0)
[29/Mar/2019:13:26:56.972922273 +0100] conn=265 op=2411 RESULT err=4 tag=101 nentries=10000 etime=15.0548812925
[29/Mar/2019:13:26:57.490204761 +0100] conn=265 op=2413 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=*)" attrs=ALL
[29/Mar/2019:13:26:57.547431167 +0100] conn=265 op=2413 SORT serialno
[29/Mar/2019:13:26:57.547445102 +0100] conn=265 op=2413 VLV 0:2147483647:109989:125049 109990:125049 (0)
[29/Mar/2019:13:26:59.977039120 +0100] conn=265 op=2414 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description"
[29/Mar/2019:13:26:59.977385581 +0100] conn=265 op=2414 RESULT err=0 tag=101 nentries=1 etime=0.0001801085
[29/Mar/2019:13:27:03.623850364 +0100] conn=265 op=2412 RESULT err=4 tag=101 nentries=10000 etime=15.1095023500
[29/Mar/2019:13:27:03.774106766 +0100] conn=265 op=2415 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=*)" attrs=ALL
[29/Mar/2019:13:27:03.949381244 +0100] conn=265 op=2415 SORT serialno
[29/Mar/2019:13:27:03.949395594 +0100] conn=265 op=2415 VLV 0:2147483647:59994:125049 59995:125049 (0)
[29/Mar/2019:13:27:13.444654998 +0100] conn=265 op=-1 fd=81 closed error 104 (Connection reset by peer) - TCP connection reset by peer.
---------
Version-Release number of selected component (if applicable):
ipa-server-4.6.4-10.el7_6.3.x86_64
Additional info:
