Hi, On Wed, Jun 12, 2024 at 3:35 PM Anton PalkoBrosov via FreeIPA-users < [email protected]> wrote:
> I make some synchronization features with freeipa. For this i need to > fetch users from LDAP db. > By default search limit is 2000 users both in GUI and API. > So i made modofications in freeipa configs > > ldapmodify -x -D "cn=Directory Manager" -W -H ldap://localhost > > dn: cn=config > changetype: modify > replace: nsslapd-sizelimit > nsslapd-sizelimit: 20000000 > > so all started to work fine, for starter there were just around 3000 users > in db so it worked fine, returned all users. > then i started to generate new users to see perfomance of DB, so i used > "pkey_only: true" in "user_find" command so when quantity of users reached > 90k users it spend around 25sec to response, so ok its tolerable.... > so all 90k+ users still returned by API > > So issue happened when quantity of users reached around 100к+ users, so > search limit shrinked to 49629 users > shrikage info started to add to responses > > "count": 49629, > "truncated": true, > "messages": [ > { > "type": "warning", > "name": "SearchResultTruncated", > "message": "Search result has been truncated: Configured > administrative server limit exceeded", > "code": 13017, > "data": { > "reason": "Configured administrative server limit > exceeded" > } > } > ] > > The search results can be truncated because of size limit but also because of time limits. You can find more information in this chapter: *Adjusting the search size and time limit <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/tuning_performance_in_identity_management/adjusting-the-search-size-and-time-limit_tuning-performance-in-idm>* Note that adjusting the size or time limits using the *ipa config-mod * command with the --searchrecordslimit or the --searchtimelimit options affects the number of entries returned by *ipa* commands, such as *ipa user-find*. In addition to these limits, the settings configured at the Directory Server level are also taken into account and may impose stricter limits. For more information on Directory Server limits, see the *Red Hat Directory Server Administration Guide* <https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/finding_directory_entries#ldapsearch-ex-complex-range>. flo i do not do anything with freeipa server, just worked python script which > generated users, script worked delicate and slow , he always waited for > response from API that user created before creating another one user, so > there were no high parallel overload on DB > > so i searched for nsslapd-sizelimit again with command: > ldapsearch -x -D "cn=Directory Manager" -W -H ldap://localhost -b > "cn=config" nsslapd-sizelimit > but is showed normally nsslapd-sizelimit: 20000000 > so with settings all fine, it shows that number that i set > > so what happened? Where freeipa get this strange limit in 49629 users and > why? How to handle this? so projected size of LDAP DB is around 15 millons > users > I tried to workaround this with python ldap-3 library in hope it make some > more low-level requests without any limits, but via python script i have > this limit too, so its totally global for all, UI, API and python API... > So how to remove this strange limit? > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
