URL: https://github.com/freeipa/freeipa/pull/6004 Author: rcritten Title: #6004: [Backport][ipa-4-9] Increase default limit on LDAP searches to 100k Action: opened
PR body: """ This PR was opened manually because PR #5985 was pushed to master and backport to ipa-4-9 is required. There was a merge conflict in the attribute overrides in ipapython/ipaldap.py but the resulting change, plus or minus a few line numbers, is identical to the change in master. Adding the ack flag. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6004/head:pr6004 git checkout pr6004
From d413c968d0151be54d27c92d1e385e3d6c93f343 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Thu, 19 Aug 2021 16:45:14 -0400 Subject: [PATCH] Increase default limit on LDAP searches to 100k A similar change was attempted years ago in commit 9724251292e4c0797367fcc351a9f16f30c6aefe but it was never applied because it used the wrong DN and because nsslapd-timelimit is already present in the entry the default keyword won't trigger. Use replace instead to increase the value to 100k from the default as originally intended. nsslapd-sizelimit can be changed only with a MOD_REPLACE otherwise a LDAP_NO_SUCH_ATTRIBUTE error is thrown. IPA only uses MOD_REPLACE for single-value attributes but nsslapd-sizelimit is not yet in schema. Add it to the known set of exceptions for single-value attributes. https://pagure.io/freeipa/issue/8962 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- install/updates/10-config.update | 2 +- ipapython/ipaldap.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/install/updates/10-config.update b/install/updates/10-config.update index dec42c0254b..40347668706 100644 --- a/install/updates/10-config.update +++ b/install/updates/10-config.update @@ -16,7 +16,7 @@ only: nsslapd-pluginPrecedence: 60 # Set limits to suite better IPA deployment sizes, defaults are too # conservative dn: cn=config -default: nsslapd-sizelimit:100000 +replace: nsslapd-sizelimit:2000::100000 dn: cn=config,cn=ldbm database,cn=plugins,cn=config replace: nsslapd-lookthroughlimit:5000::100000 diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index 7d2b06eeac5..f94b784d680 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -763,6 +763,7 @@ class LDAPClient: 'nsslapd-enable-upgrade-hash': True, 'nsslapd-db-locks': True, 'nsslapd-logging-hr-timestamps-enabled': True, + 'nsslapd-sizelimit': True, }) time_limit = -1.0 # unlimited
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
