[Fedora-directory-users] strange problem with group of more than 2000 users

Mon Oct 3 16:34:41 UTC 2005

Basile,

It is probably not an issue of the bind time limit, since this limit 
defines how long to wait when attempting to connect to your directory 
server.  It sounds like your client is able to connect.

I doubt it's the search time limit, since 800 is not a huge number of 
entries.  It would be easy to confirm this by increasing the search time 
limit to something big (say 300 seconds).

Your results make me think you are bumping into a 4096 character limit 
for posix groups on your client OS.
Assume your average username is 6 characters long.
Then:
643 * 6 = 3858 chars  (works)
800 * 6 = 4800 chars  (doesn't work)

What client OS are you using for your tests?

-- George

basile au siris wrote:

> i did a test
> with 643 users it works
> with 800 users it don t works
> could it be timers problem ( time_search_limit or time_bind_limit for 
> proxyagent wich is used
> to query directory )
> basile
>
> basile au siris wrote:
>
>> thanks
>> i set the sizelimit to -1 but it don t  works better
>> i set nssizelimit to -1 of the proxyagent which is used to bind to 
>> the directory but same result
>> i look at the logs and when i use id or getent there is directory query
>> it seems crazy i can t have more than 2000 users in a group
>> i search the limit of users i can have
>> basile
>>
>> Jeff Clowser wrote:
>>
>>> It could be a limit on the sizes of groups, etc in Solaris.
>>>
>>> To check to see if it's LDAP related, look at the ldap access logs 
>>> for queries related to that group or coming from that machine.  
>>> Anyway, 2000 I believe is the default sizelimit for searches, so 
>>> look for entries with 2000 results, if it's consistently failing at 
>>> 2000 users.  If it's just reading the group with 2000+ static 
>>> members (1 entry), then maybe reading each user individually (1 
>>> entry/search), it shouldn't hit a resource limit.  But...  if it 
>>> reads the group, then searches for all users with that group id, or 
>>> something similar, it may hit the administrative limits.
>>>
>>> For a simple test, you could up the sizelimit (say to 10000 or -1) 
>>> on the directory server and see if the problem goes away.
>>>
>>> If you find something like this, there are a couple ways to fix it:
>>> 1.  Up your server administrative sizelimit (to a higher number, or 
>>> -1 for unlimited).  This should be a last resort, since it allows 
>>> anyone (even anonymous) to make unlimited size searches against your 
>>> directory.  If your directory is large, that could cause problems.
>>> 2.  If the solaris box is binding as a particular DN to search, you 
>>> can add the nsSizeLimit to that entry, and set it to a higher value 
>>> (or -1 for unlimited).
>>> 3.  If it binds as the end user, you can add nsSizelimit to each 
>>> user that can log in.  This is a bit more of a pain to do since you 
>>> have to do it for all users, but is better than increasing the limit 
>>> for the entire server, in general.
>>>
>>> - Jeff
>>>
>>> basile au siris wrote:
>>>
>>>> hi
>>>> i have fds 7.1 on solaris 9 and users and group stored in the 
>>>> directory
>>>> all works fine except for a group of more than 2000 users
>>>> when i use id or getent system did not recognize the group
>>>> maybe it s not a fds problem but if someone can give me an idea
>>>> thanks
>>>> basile
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>>
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>