#245 allow resource limits to be set for paged searches independently of limits for other searches/operations

Created 6 years ago by rmeggins
Modified 11 months ago


Description of problem:
FreeIPA Server fully populated with Production content (over 5000+ hosts) + any
RHEL5.7 ipa-clients with SSSD are unable to authorize ssh connections.

After troubleshooting, it appears that sssd is performing a search query that
results returning all hosts in the directory, thus hitting the 389 max
sizelimit even with paging enabled.

It won't be possible to utilize FreeIPA realistically with this conflict
between the client and server.

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1. Populate a 389 ds FreeIPA directory with 5000 hosts
2. Join a client to the directory.
3. Attempt to ssh into the client.

Actual results:
SSHD gets denied due to hitting a sizelimit on the returning search results.

Expected results:
SSHD should permit the login

Additional info:

commit changeset:4dc166b/389-ds-base
Author: Rich Megginson rmeggins@redhat.com
Date: Fri Sep 30 08:30:16 2011 -0600
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: There are now 6 new configuration variables that control
global and per-user limits for simple paged result searches. If these are
not present or set to 0, the corresponding non-paged limit will be used
instead. For example, if nsslapd-pagedsizelimit is not set,
nsslapd-sizelimit will be used. This keeps the previous behavior when the
new paged limits are not set.
cn=config/operational per user
nsslapd-pagedsizelimit/nsPagedSizeLimit - maximum number of entries returned
by a paged search
cn=config,cn=ldbm database,cn=plugins,cn=config/operational per user
nsslapd-pagedlookthroughlimit/nsPagedLookThroughLimit - maximum number of
entries retrieved from the database by a simple paged result search
nsslapd-pagedidlistscanlimit/nsPagedIDListScanLimit - maximum size of an ID
list that can be loaded by a simple paged result search
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: Yes - will need to document the new attributes

Added initial screened field value.

11 months ago

Metadata Update from @nkinder:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.2.10

Login to comment on this ticket.


Database - General