#245 allow resource limits to be set for paged searches independently of limits for other searches/operations
Closed: wontfix None Opened 10 years ago by rmeggins.


Description of problem:
FreeIPA Server fully populated with Production content (over 5000+ hosts) + any
RHEL5.7 ipa-clients with SSSD are unable to authorize ssh connections.

After troubleshooting, it appears that sssd is performing a search query that
results returning all hosts in the directory, thus hitting the 389 max
sizelimit even with paging enabled.

It won't be possible to utilize FreeIPA realistically with this conflict
between the client and server.

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1. Populate a 389 ds FreeIPA directory with 5000 hosts
2. Join a client to the directory.
3. Attempt to ssh into the client.

Actual results:
SSHD gets denied due to hitting a sizelimit on the returning search results.

Expected results:
SSHD should permit the login

Additional info:

commit changeset:4dc166b/389-ds-base
Author: Rich Megginson rmeggins@redhat.com
Date: Fri Sep 30 08:30:16 2011 -0600
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: There are now 6 new configuration variables that control
global and per-user limits for simple paged result searches. If these are
not present or set to 0, the corresponding non-paged limit will be used
instead. For example, if nsslapd-pagedsizelimit is not set,
nsslapd-sizelimit will be used. This keeps the previous behavior when the
new paged limits are not set.
cn=config/operational per user
nsslapd-pagedsizelimit/nsPagedSizeLimit - maximum number of entries returned
by a paged search
cn=config,cn=ldbm database,cn=plugins,cn=config/operational per user
nsslapd-pagedlookthroughlimit/nsPagedLookThroughLimit - maximum number of
entries retrieved from the database by a simple paged result search
nsslapd-pagedidlistscanlimit/nsPagedIDListScanLimit - maximum size of an ID
list that can be loaded by a simple paged result search
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: Yes - will need to document the new attributes

Added initial screened field value.

Metadata Update from @nkinder:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.2.10

5 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/245

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

2 years ago

Login to comment on this ticket.