Hello, I’d like to get your thoughts on an issue I encountered with nsslapd-anonlimitsdn after the OS update.
We’re running IPA version 4.10.2 on RHEL 9.3, and after applying an OS update (dnf update), it upgraded to RHEL 9.4 and IPA version 4.11.0. The update went smoothly, and I'd say thanks to the IPA team. But, I ran into an issue with nsslapd-anonlimitsdn. By default, nsslapd-anonlimitsdn has global resource limits, and we need more for our anonymous queries. Following the official documentation <https://docs.redhat.com/en/documentation/red_hat_directory_server/11/html/administration_guide/ldapsearch-ex-complex-range#Setting_Resource_Limits_for-anonymous-binds>, we created a custom user entry and applied it to anonymous binds, and everything worked fine. ## before $ ldapsearch -xLLL -H ldap://ipa.example.com -b cn=users,cn=accounts,dc=example,dc=com uid|grep ^uid|wc -l Administrative limit exceeded (11) 4998 ## action $ cat custom_anonymous_limits.ldif dn: cn=custom_anonymous_limits,cn=users,cn=accounts,dc=example,dc=com objectclass: nsContainer objectclass: top cn: custom_anonymous_limits nsSizeLimit: 15000 nsLookThroughLimit: 15000 nsTimeLimit: 60 $ ldapadd -f custom_anonymous_limits.ldif $ dsconf EXAMPLE-COM config replace nsslapd-anonlimitsdn="cn=custom_anonymous_limits,cn=users,cn=accounts,dc=example,dc=com" $ dsconf EXAMPLE-COM config get nsslapd-anonlimitsdn nsslapd-anonlimitsdn: cn=custom_anonymous_limits,cn=etc,dc=example,dc=com ## after $ ldapsearch -xLLL -H ldap://ipa.example.com -b cn=users,cn=accounts,dc=example,dc=com uid|grep ^uid|wc -l 12500 After the OS patch, the default limits and default user for nsslapd-anonlimitsdn were restored. Our custom user still exists but was no longer active: $ dsconf EXAMPLE-COM config get nsslapd-anonlimitsdn nsslapd-anonlimitsdn: cn=anonymous-limits,cn=etc,dc=example,dc=com I had to reactivate our custom user manually: $ dsconf EXAMPLE-COM config replace nsslapd-anonlimitsdn="cn=custom_anonymous_limits,cn=users,cn=accounts,dc=example,dc=com" Is this a bug, or am I missing something? Any feedback would be appreciated. Thanks, Vahit Tabak
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
