[Freeipa-users] Can't set nsslapd-sizelimit

[Petr Spacek]

On 16.5.2016 23:19, Giuseppe Sarno wrote:
> Hello,
> I am new to freeIPA and I am recently working on a project to integrate freeIPA with some legacy application which uses LDAP for user management.
> I have initially created our own ldap structure and I tried to run the code against freeIPA/389DS. While running this example I noticed that 389DS takes quite some time to load profile data from the different ldap nodes (~2000 entries). In a previous prototype using OpenDJ we had to increase the parameter ds-cfg-size-limit: to ~1000 with good results. I am wondering now whether we can do the same for the freeIPA/389DS server. I found the following pages but I could not work out what the exact command should be to modify those parameters.
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html
> 
> http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html
> 
> I attempted the following but received a ObjectClass violation:
> 
> [centos at ldap-389ds-ireland ~]$ ldapmodify  -h ldap-389ds-ip -D "cn=Directory Manager" -w '<password>' -f slimit
> modifying entry "dc=ldap,dc=adeptra,dc=com"
> ldap_modify: Object class violation (65)
>         additional info: attribute "nsslapd-sizelimit" not allowed

System-wide config is stored in "cn=config".

For further details please see
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Finding_Directory_Entries.html#Setting_Resource_Limits_Based_on_the_Bind_DN-Setting_Resource_Limits_Using_the_Command_Line

Petr^2 Spacek


> slimit:
> dn: dc=ldap,dc=example,dc=com
> changetype: modify
> add:nsslapd-sizelimit
> nsslapd-sizelimit: 1000
> 
> I also attempted using a user dn but with the same result.