On 12/19/18 12:15 PM, lune voo via FreeIPA-users wrote:
Hello everyone.
I send you this mail because I have a problem with an ipa
group-remove-member command which ends up with the following error message :
"Limits exceeded for this query".
I'm using IPA 3.0.0.
The group for which I want to remove a user contains other groups also
(281).
I was wondering how I could solve this problem ?
I tried to play with the configuration as described here :
https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/searches.html
I tried to increase both limits but it did not solve the problem.
I guess as I'm not doing a search but group remove member, this
parameters are not used maybe ?
Thanks for your help o/
Best regards.
Lune.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Hi,
when you are running ipa group-remove-member, are you authenticated as
admin or as another user?
Can you see in 389-ds logs which operation is triggering the size-limit
error? In /var/log/dirsrv/slapd-domXXX/access, you will find a line with
RESULT err=4, note the conn=xx and op=yy values, then look above for a
line with conn=xx op=yy SRCH and finally another line above with conn=xx
op=0 BIND. Please paste the 3 lines for analysis.
The size limits are configured at multiple levels:
- at IPA level: with ipa config-show, you can see the settings that IPA
is using for all the queries triggered by ipa *-find commands.
- at 389-ds level: the attribute nsslapd-sizelimit of the entry
cn=config is also limiting the number of returned entries
- at 389-ds level: the attributes nsSizeLimit and nsLookThroughLimit of
the entry cn=anonymous-limits,cn=etc,$BASEDN limit the number of
returned entries for anonymous queries
- it is also possible to configure per-user limits, for instance in
uid=user,cn=users,cn=accounts,$BASEDN with the attributes nsSizeLimit
nsLookThroughLimit nsPagedLookThroughLimit and nsPagedSizeLimit
So we need to understand which user is performing the ipa
group-remove-member command, and which limit is triggering the error.
flo
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
