Bug 444117

Summary: end-user DB searching should not run as Directory Admin
Product: [Retired] Dogtag Certificate System Reporter: Bob Lord <blord>
Component: CAAssignee: Christina Fu <cfu>
Status: CLOSED EOL QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jgalipea, nkinder
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-27 18:37:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 530474    

Description Bob Lord 2008-04-25 05:01:04 UTC 
Description of problem:
There is a web form on the CA subsystem that allows end users to search the CA's
database for other users, certificate, and other information. Some users who
have not been trained to properly user the web form may request an LDAP query
that will take a very long time to complete and will consume CA resources.

Users are able to tax the CA because the web-form searches using privileges of
the administrator. If that function ran as a different user, it would be
possible to put timeout limits on searches to prevent intentional or
unintentional draining of CA resources.
Comment 1 Christina Fu 2008-05-06 18:52:11 UTC 
Is performance issue 8.0?
Comment 2 Bob Lord 2008-05-06 20:14:08 UTC 
This may require some heavy lifting.  Putting it on the 8.1 radar.