[Freeipa-users] Can't set nsslapd-sizelimit
Alexander Bokovoy
abokovoy at redhat.com
Tue May 17 10:59:01 UTC 2016
On Mon, 16 May 2016, Giuseppe Sarno wrote:
>Hello,
>I am new to freeIPA and I am recently working on a project to integrate
>freeIPA with some legacy application which uses LDAP for user
>management. I have initially created our own ldap structure and I
>tried to run the code against freeIPA/389DS. While running this example
>I noticed that 389DS takes quite some time to load profile data from
>the different ldap nodes (~2000 entries). In a previous prototype using
>OpenDJ we had to increase the parameter ds-cfg-size-limit: to ~1000
>with good results. I am wondering now whether we can do the same for
>the freeIPA/389DS server. I found the following pages but I could not
>work out what the exact command should be to modify those parameters.
>
>https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html
>
>http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html
>
>I attempted the following but received a ObjectClass violation:
>
>[centos at ldap-389ds-ireland ~]$ ldapmodify -h ldap-389ds-ip -D "cn=Directory Manager" -w '<password>' -f slimit
>modifying entry "dc=ldap,dc=adeptra,dc=com"
>ldap_modify: Object class violation (65)
> additional info: attribute "nsslapd-sizelimit" not allowed
>
>slimit:
>dn: dc=ldap,dc=example,dc=com
>changetype: modify
>add:nsslapd-sizelimit
>nsslapd-sizelimit: 1000
>
>I also attempted using a user dn but with the same result.
nsslapd-sizelimit is either set globally in cn=config or should be set
per bind DN entry. Your dc=ldap,dc=adeptra,dc=com is not an entry that
can be used for LDAP BIND operation, a user entry would be usable.
But if your intent was to set it globally, just set it for a DN named
cn=config.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list