[Freeipa-users] ipa user-find

Rich Megginson rmeggins at redhat.com
Fri Oct 26 13:25:43 UTC 2012 

On 10/25/2012 08:33 PM, Steven Jones wrote:
> I hadnt restarted but now I have, no difference.
>
> wc -l says 10000 but every other line is a blank, so yes 5000 seems likely.
>
> There are just under 6000 AD users....2 servers as this is in the test environment to test winsync and passync....both are working as far as I can tell with the backported rpms.
Ok.  You may be running into https://fedorahosted.org/389/ticket/446

I believe ipa enables the anonymous limits feature.   I suggest 
increasing these limits.

>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Rich Megginson [rmeggins at redhat.com]
> Sent: Friday, 26 October 2012 3:22 p.m.
> To: Steven Jones
> Subject: Re: [Freeipa-users] ipa user-find
>
> On 10/25/2012 07:30 PM, Steven Jones wrote:
>> 40000
> Both idlistscanlimit and lookthroughlimit?  And you're still hitting a
> limit of 5000 entries?
> How many entries in your database?
> Have you tried restarting dirsrv?
>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: Rich Megginson [rmeggins at redhat.com]
>> Sent: Friday, 26 October 2012 2:22 p.m.
>> To: Steven Jones
>> Subject: Re: [Freeipa-users] ipa user-find
>>
>> On 10/25/2012 07:14 PM, Steven Jones wrote:
>>> Hi,
>>>
>>> Screenshot of access log output attached.
>> You increased the idlistscanlimit and lookthroughlimit?
>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> ________________________________________
>>> From: Rich Megginson [rmeggins at redhat.com]
>>> Sent: Friday, 26 October 2012 10:24 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] ipa user-find
>>>
>>> On 10/25/2012 02:46 PM, Steven Jones wrote:
>>>> Hi,
>>>>
>>>> yes figured it....
>>>>
>>>> even at 20000 Im still getting an administrative size limit exceeded (11)
>>> This means you're either hitting the lookthroughlimit and/or the
>>> idlistscanlimit.
>>>
>>> The idlistscanlimit is described here -
>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Database_Plug_in_Attributes.html#nsslapd_idlistscanlimit
>>>
>>> I suggest changing the value to be 2 times as large as the number of
>>> entries in your database, just to be safe:
>>>
>>> ldapmodify -x -D "cn=directory manager" -W<<EOF
>>> dn: cn=config,cn=ldbm database,cn=plugins,cn=config
>>> changetype: modify
>>> replace: nsslapd-idlistscanlimit
>>> nsslapd-idlistscanlimit: a big number
>>> EOF
>>>
>>> If you still have a problem, it means ipa is doing an unindexed search,
>>> and you will have to increase the lookthroughlimit for the ipa admin
>>> user.  I'm not sure how/where ipa does that.  You can set the global
>>> limit for all users like this:
>>>
>>> ldapmodify -x -D "cn=directory manager" -W<<EOF
>>> dn: cn=config
>>> changetype: modify
>>> replace: nsslapd-lookthroughlimit
>>> nsslapd-lookthroughlimit: a big number
>>> EOF
>>>
>>> In case you are wondering what all of this gibberish is
>>>
>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Indexes.html#About_Indexes-Overview_of_the_Searching_Algorithm
>>>
>>> When the directory server cannot load the IDs of the search results into
>>> an ID list, either due to hitting the idlistscanlimit, or the search is
>>> unindexed (and therefore there is no index to load the ID list), the
>>> server must fall back to searching through every entry in the database.
>>> It will only look through nsslapd-lookthroughlimit number of entries
>>> before giving up and returning err=11.
>>>
>>> Can you take a look at the directory server access log at
>>> /var/log/dirsrv/slapd-INST/access and look for the corresponding SRCH
>>> operation and the RESULT of that search operation and please post it?
>>>
>>>> :(
>>>>
>>>> regards
>>>>
>>>> Steven Jones
>>>>
>>>> Technical Specialist - Linux RHCE
>>>>
>>>> Victoria University, Wellington, NZ
>>>>
>>>> 0064 4 463 6272
>>>>
>>>> ________________________________________
>>>> From: Rich Megginson [rmeggins at redhat.com]
>>>> Sent: Friday, 26 October 2012 9:44 a.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] ipa user-find
>>>>
>>>> On 10/25/2012 02:37 PM, Steven Jones wrote:
>>>>> Hi,
>>>>>
>>>>> Ive tried,
>>>>>
>>>>> dn: cn=default instance config,cn=config,cn=plugins
>>>>>
>>>>> and,
>>>>>
>>>>> dn: cn=default instance config,cn=config,cn=plugins,cn=config
>>>> Try
>>>> dn: cn=config
>>>>> and get no such  object (32)
>>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>> ________________________________________
>>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>>> Sent: Thursday, 25 October 2012 4:16 p.m.
>>>>> To: Steven Jones
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] ipa user-find
>>>>>
>>>>> Steven Jones wrote:
>>>>>> Hi,
>>>>>>
>>>>>> How do I bind as the directory manager?  Ive tried and I cant figure out how.
>>>>> Assuming you're running on the same host as IPA:
>>>>>
>>>>> $ ldapmodify -x -D 'cn=directory manager' -W
>>>>> dn: cn=default instance config,cn=chaining database,cn=plugins,cn=config
>>>>> changetype: modify
>>>>> replace: nsslapd-sizelimit
>>>>> nsslapd-sizelimit: 8000
>>>>>
>>>>> ^D
>>>>>
>>>>> And yes, that's an extra blank line after 8000.
>>>>>
>>>>>> and how do I get the web ui to return all users so I can see if the winsync is working , its a test bed so I need to do a side by side comparison....
>>>>> You'll need to modify the size limit in the IPA configuration screen.
>>>>> IPA Server ->      Configuration ->      Search size limit
>>>>>
>>>>> rob
>>>>>
>>>>>> regards
>>>>>>
>>>>>> Steven Jones
>>>>>>
>>>>>> Technical Specialist - Linux RHCE
>>>>>>
>>>>>> Victoria University, Wellington, NZ
>>>>>>
>>>>>> 0064 4 463 6272
>>>>>>
>>>>>> ________________________________________
>>>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>>>> Sent: Thursday, 25 October 2012 3:40 p.m.
>>>>>> To: Steven Jones
>>>>>> Cc: freeipa-users at redhat.com
>>>>>> Subject: Re: [Freeipa-users] ipa user-find
>>>>>>
>>>>>> Steven Jones wrote:
>>>>>>> When doing the above it only returns 2000, I have 6000
>>>>>>>
>>>>>>> How to get it to return 6000+?
>>>>>> There are two size limits. One is a global limit in 389-ds-base,
>>>>>> nsslapd-sizelimit which defaults to 2000.
>>>>>>
>>>>>> IPA has its own search limit which you can also set globally, or
>>>>>> override it on the command line (which I'll do below).
>>>>>>
>>>>>> You'll need to bind as Directory Manager to change nsslapd-sizelimit
>>>>>> then you can run:
>>>>>>
>>>>>> ipa user-find --sizelimit=8000
>>>>>>
>>>>>> I don't believe any services need to be restarted for this to take effect.
>>>>>>
>>>>>> We generally discourage enumerating all entries for performance reasons
>>>>>> which is why by default the IPA size limit is 100.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>

More information about the Freeipa-users mailing list