[Freeipa-users] Questions about nsslapd-sizelimit

John Desantis desantis at mail.usf.edu
Mon May 4 14:01:00 UTC 2015 

Rob,

Thanks for your reply.

My predecessor had wrote code to pull user entries from the realm in
order to verify that:

1.)  A home directory is created (if not already) and apply the
correct ownership;
2.)  A work directory (Lustre) is created (if not already) and apply
the correct ownership.

Given what you've said, I'll perform a work-around within the code to
get a list of active users from a database table vs. the current
method.

John DeSantis

2015-05-04 9:53 GMT-04:00 Rob Crittenden <rcritten at redhat.com>:
> John Desantis wrote:
>> Hello all!
>>
>> I believe I may be falling victim to the nsslapd-sizelimit's default
>> setting of 2,000.
>>
>> I've been wondering why some JSON calls to IPA (3.0.37, user_find)
>> have been failing to show all user accounts in the results.  Checking
>> the FreeIPA admin UI, I can clearly find the users in question, but no
>> matter what changes I set in the UI on the the console with search
>> record limits and time limits, only 2,000 entries are ever returned.
>> A final test this morning by adding an account via the UI did not
>> augment the 2,000 entries returned in the user list;  searching for
>> the user on the console with 'ipa user-show y* --all' and via the
>> search frame in the UI found the user.
>>
>> Looking over the documentation, it's stated that you can use the UI to
>> update the limits.  However, the limit is already set at 10,000 for
>> the number of records to be returned, and the time limit is set at 60.
>> The current dse.ldiff states that the nsslapd-sizelimit is 2,000.
>>
>> Is it possible that IPA isn't respecting this value since the constant
>> number is 2,000?  Is it safe to change this value via an ldapmodify?
>>
>> Thank you!
>> John DeSantis
>>
>
> Why do you need to return > 2000 users at one time?
>
> IPA purposely limits the number of entries returned by default (100)
> specifically to discourage enumeration which is expensive.
>
> It is safe to modify this value using ldapmodify. Increasing the value
> is not recommended.
>
> rob

More information about the Freeipa-users mailing list