On 02/19/2018 07:55 AM, Florence Blanc-Renaud wrote:
On 02/19/2018 12:01 PM, Bret Wortman via FreeIPA-users wrote:
On 02/16/2018 11:54 AM, Florence Blanc-Renaud wrote:
On 02/15/2018 06:42 PM, Bret Wortman via FreeIPA-users wrote:
On 02/15/2018 12:27 PM, Florence Blanc-Renaud wrote:
On 02/15/2018 05:01 PM, Bret Wortman via FreeIPA-users wrote:
On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote:
On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote:
On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote:


On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote:
On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 02/14/2018 05:58 PM, Bret Wortman wrote:
On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:
On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:
I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=20000 -b idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com

to list out all the entries, but the format isn't what I'm expecting.

What I'm actually trying to do is move our whole infrastructure from one set of old & busted servers to some shiny new VMs. We'd like to extract the data and start fresh, as our replication agreements just don't seem to be working as expected. Changes to one don't always make it to the other and vice versa. While I'd love to dig in and solve that, it's easier right now to try to extract the data and reload it into a new server, build new replicas, then unbind & re-bind every client to the new server using ansible since we also lost our internal CA in the process.

So while our current configuration is a mess, we can't afford to lose all the host/user/dns/hbac data in our servers. Thus, I've been capturing the output to text using various ipa *-find commands and have parsers to turn those back into new entries on the fresh hosts. DNS is the only thing that's holding me up.


Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:

Also, this doesn't solve the fact that the Web UI always produces an error dialog whenever accessing our primary zone.


On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:


On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo <natxo.ase...@gmail.com <mailto:natxo.ase...@gmail.com>> wrote:


    the canonical way to do this is using ldap paging, with     ldapsearch  you could try using the -E pr=xxxx parameter, where     xxxx could be 1000 for instance. That way you know you are always
    under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to continue, nicer for scripts obviously.

--
Groeten,
natxo


_______________________________________________
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org




_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm database,cn=plugins,cn=config)

- for operations performed through ipa * commands (or the webGUI):
ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in uid=$USER,cn=users,cn=accounts,$BASEDN)

You are probably hitting one of these limits in your ipa *-find command.

HTH,
Flo


So I found almost all of these:

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config' cn=config | grep nsslapd-sizelimit
nsslapd-sizelimit: 2000

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config,cn=ldbm database,cn=plugins,cn=config' | grep lookthroughlimit
nsslapd-lookthroughlimit: 100000

# ldapsearch -D 'cn=directory manager' -W -b 'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep ipaSearchRecordsLimit
ipaSearchRecordsLimit: 99999

# ldapsearch -D 'cn=directory manager' -W -b 'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | grep -i limit
(returns data but nothing matches)

Hi,

nsSizeLimit and nsLookThroughLimit are operational attributes, meaning that a standard ldapsearch will not return them. You need either to specifically request them by providing them in the attributes list:

$ ldapsearch -D 'cn=directory manager' -W -b $BASE nssizelimit nslookthroughlimit

or you can also specify + instead of the attributes in order to get all operational attributes:
$ ldapsearch -D 'cn=directory manager' -W -b $BASE +

HTH,
Flo

The first doesn't seem to be something I can change. It's stuck at 2000, but since my issue occurs at 5000, I'm not worried about it. I believe that I'm missing something in the fourth search that might point me toward the attributes you mentioned but I'm not sure where.


The 5000 limit rings a bell to me. It is the anonymous size limit. Can you check: $ ldapsearch -D 'cn=directory manager' -W -b cn=config -s base nsslapd-anonlimitsdn

it will provide you with a DN of the entry defining the anonymous limits (usually cn=anonymous-limits,cn=etc,$BASEDN), then:

$ ldapsearch -D 'cn=directory manager' -W -b cn=anonymous-limits,cn=etc,$BASEDN nsSizeLimit nsLookThroughLimit

Now we should check the access log (/var/log/dirsrv/slapd-xxx/access) corresponding to your command to retrieve the DNS entries, and ensure which user identity is actually performing the search.

Flo

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Both those limits are 5000.

What should I be looking for in the access log? It gets a lot of traffic and narrowing down exactly which entry represents the original search is challenging. I'd rather not post the whole thing because it's pretty large & noisy.

Hi,

you can perform the ipa dnsrecord-find --all command, while tail'ing the access log. I will be interested in the lines containing the SEARCH with a err=4 (size limit exceeded). For this SEARCH, please note the connection number (conn=xx) and find the BIND for the same connection number (it will be located before the SEARCH). For each line (BIND and SEARCH) both the operation and the RESULT are interesting, for instance when doing ipa user-find:

[date] conn=514 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO [date] conn=514 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0004754873 dn="uid=admin,cn=users,cn=accounts,$BASEDN"
...
[date] conn=514 op=2 SRCH base="cn=users,cn=accounts,$BASEDN" scope=1 filter="(objectClass=posixaccount)" attrs="krbCanonicalName loginShell sshpubkeyfp gidNumber homeDirectory uidNumber uid givenName title sn krbPrincipalName mail nsAccountLock telephoneNumber ipaSshPubKey" [date] conn=514 op=2 RESULT err=0 tag=101 nentries=6 etime=0.0006313857

Flo

Bret
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahos
Is this what you're after?

conn=121474 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer naming Contexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommittedusn aci"
conn=121474 op=0 RESULT err=0 tag=101 nentries=1 etime=0
conn=121474 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
conn=121474 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
conn=121474 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
conn=121474 op=2 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
conn=121474 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI
conn=121474 op=3 RESULT err=0 tag=101 nentries=0 etime=0 dn="fqdn=loader4.my.net,cn=computers,cn=accoutns,dc=my,dc=net"
:
conn=121474 op=3033 SRCH base="cn=accounts,dc=my,dc=net" scope=2 filter="(&(objectClass=ipaHost)(fqdn=sfile6.my.net))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID" conn=121474 op=3033 RESULT err=0 tag=101 nentries=1 etime=0 notes=P pr_idx=0 pr_cookie=-1
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Hi,

the command ipa dnsrecord-find should create a trace similar to the following:

[date] conn=538 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO [date] conn=538 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0004778829 dn="uid=admin,cn=users,cn=accounts,$BASEDN"
...
[date] conn=538 op=7 SRCH base="idnsname=$ZONE,cn=dns,$BASEDN" scope=2 filter="(&(objectClass=top)(objectClass=idnsrecord))" attrs="pTRRecord APLRecord SigRecord nAPTRRecord HIPRecord kXRecord aRecord aFSDBRecord hInfoRecord sRVRecord mDRecord certRecord nSECRecord idnsName tXTRecord DHCIDRecord dSRecord dNameRecord TLSARecord mXRecord sSHFPRecord cNAMERecord IPSECKEYRecord aAAARecord rRSIGRecord RPRecord DLVRecord URIRecord mInfoRecord KeyRecord a6Record nXTRecord LocRecord nSRecord SPFRecord" [date] conn=538 op=7 RESULT err=0 tag=101 nentries=11 etime=0.0005895601

In your case, since the search results are truncated, there will probably be err=4 (size limit exceeded) or err=11 (admin limit exceeded), and nentries= the limit you are hitting.

Please keep in mind that 389-ds access log is buffered, it may get some time between the event and its logging in the file.

Flo
Okay, found it.

conn=128104 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO
conn=128104 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid-admin,cn=users,cn=accoutns,dc=my,dc=net"
...
conn=128104 op=7 SRCH base="idnsname=my.net,cn=dns,dc=my,dc=net" scope=2 filter="(&(objectClass=top)(objectClass=idnsrecord))" attrs="sSHFPRecord HIPRecord SPFRecord kXRecord nXTRecord mXRecord aAAARecord mDRecord aRecord DLVReocrd TLSARecord * pTRRecord SigRecord idnsname aFSDBRecord APLRecord URIRecord nAPTRRecord nSRecord LocRecord dNameRecord RPRecrod DHCIDRecord IPSECKEYRecord rSIGRecord hInfoRecord cNAMERecord certRecord sRVRecord dSRecord tXTRecord nSECRecord a6Record KeyRecord mInfoRecord aci""
conn=128104 op=7 RESULT err=11 tag=101 nentries=5000 etime=2

It was going to our other IPA server in the pair and I didn't notice that I was doing my "ipa dnsrecord-find" from my workstation, not one of the servers.

So it looks like I'm getting an admin limit exceeded. What's the best way to proceed?

Hi,

just to be sure, can you perform equivalent ldapsearch with GSS-SPNEGO / GSSAPI and plain bind:
kinit admin
ldapsearch -Y GSS-SPNEGO -b idnsname=my.net,cn=dns,dc=my,dc=net "(&(objectClass=top)(objectClass=idnsrecord))"

kinit admin
ldapsearch -Y GSSAPI -b idnsname=my.net,cn=dns,dc=my,dc=net "(&(objectClass=top)(objectClass=idnsrecord))"

ldapsearch -D uid=admin,cn=users,cn=accounts,dc=my,dc=net -W -b idnsname=my.net,cn=dns,dc=my,dc=net "(&(objectClass=top)(objectClass=idnsrecord))"

I would like to see if the auth mechanism has any impact on the limits and number of returned entries.
Flo

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


GSS-SPNEGO returns 2000.

GSSAPI returns 2000.

The third command returns 2000.

Hi Bret,

this 2000 limit is your cn=config limit (nsslapd-sizelimit), right? If uid=admin does not define any nssizelimit then it's an expected behavior. But I don't understand how you sometimes reach the 5000 limit with uid=admin.

I must admit that this issue teased me, and I reproduced a strange behavior. The limit is not always the same, it looks like sometimes the anonymous lookthrough limit is picked even though the search is authenticated. A bug on 389-ds has already been reported but was closed as not reproducible, and it is now re-opened with new information:
https://pagure.io/389-ds-base/issue/49296

As a workaround, if you want to be able to get all your DNS records, you will need to modify the cn=config limit to a value higher than 5000, and also increase the anonymous lookthrough limit:

ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-sizelimit
nsslapd-sizelimit: <your value here>

dn: cn=anonymous-limits,cn=etc,$BASEDN
changetype: modify
replace: nsLookThroughLimit
nsLookThroughLimit: <your value here>

HTH,
Flo

This returns 5732:

ldapsearch -D 'cn=directory manager' -W -b idnsname=my.net,cn=dns,dc=my,dc=net "(&(objectClass=top)(objectClass=idnsrecord))"
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Both these commands fail to return. I've executed each and they simply don't return; I have to terminate them with Ctrl-C.

Do they need to be executed together, in one invocation?

Hi Bret,

ldapmodify launches a shell-like process where you can type your operations using LDIF format. The command (here modify operation) is read until an empty line is found, then gets executed. This means that you need to type twice "return" after the value for nsslapd-sizelimit (one to start a new line, and one to signify that you are done entering the modification you want to perform). Maybe you did not type return twice?

After the modification gets executed, the tool will print a message with the status (successful or failed), and wait for your next command. There you can enter the 2nd modification, for nsLookThroughLimit. When you're done with all your operations, you can exit this shell-like either with Ctrl-C or Ctrl-D.

If you don't feel comfortable with this mode, you can also use the option ldapmodify -f <ldif file> which will execute the commands read from a LDIF file and exit as the last command is executed.

HTH,
Flo.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Pilot error. I forgot to Ctrl-D when I was done. I'm not ready for Monday yet.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to