[Freeipa-users] Questions about nsslapd-sizelimit
Rob Crittenden
rcritten at redhat.com
Mon May 4 13:53:47 UTC 2015
John Desantis wrote:
> Hello all!
>
> I believe I may be falling victim to the nsslapd-sizelimit's default
> setting of 2,000.
>
> I've been wondering why some JSON calls to IPA (3.0.37, user_find)
> have been failing to show all user accounts in the results. Checking
> the FreeIPA admin UI, I can clearly find the users in question, but no
> matter what changes I set in the UI on the the console with search
> record limits and time limits, only 2,000 entries are ever returned.
> A final test this morning by adding an account via the UI did not
> augment the 2,000 entries returned in the user list; searching for
> the user on the console with 'ipa user-show y* --all' and via the
> search frame in the UI found the user.
>
> Looking over the documentation, it's stated that you can use the UI to
> update the limits. However, the limit is already set at 10,000 for
> the number of records to be returned, and the time limit is set at 60.
> The current dse.ldiff states that the nsslapd-sizelimit is 2,000.
>
> Is it possible that IPA isn't respecting this value since the constant
> number is 2,000? Is it safe to change this value via an ldapmodify?
>
> Thank you!
> John DeSantis
>
Why do you need to return > 2000 users at one time?
IPA purposely limits the number of entries returned by default (100)
specifically to discourage enumeration which is expensive.
It is safe to modify this value using ldapmodify. Increasing the value
is not recommended.
rob
More information about the Freeipa-users
mailing list