Vahit Tabak via FreeIPA-users wrote: > Hello, > > I’d like to get your thoughts on an issue I encountered with > nsslapd-anonlimitsdn after the OS update. > > We’re running IPA version 4.10.2 on RHEL 9.3, and after applying an OS > update (dnf update), it upgraded to RHEL 9.4 and IPA version > 4.11.0. The update went smoothly, and I'd say thanks to the IPA team. > > But, I ran into an issue with nsslapd-anonlimitsdn. By default, > nsslapd-anonlimitsdn has global resource limits, and we need more for > our anonymous queries. Following the official documentation > <https://docs.redhat.com/en/documentation/red_hat_directory_server/11/html/administration_guide/ldapsearch-ex-complex-range#Setting_Resource_Limits_for-anonymous-binds>, > we > created a custom user entry and applied it to anonymous binds, and > everything worked fine. > > ## before > $ ldapsearch -xLLL -H ldap://ipa.example.com <http://ipa.example.com> -b > cn=users,cn=accounts,dc=example,dc=com uid|grep ^uid|wc -l > Administrative limit exceeded (11) > 4998 > > ## action > $ cat custom_anonymous_limits.ldif > dn: cn=custom_anonymous_limits,cn=users,cn=accounts,dc=example,dc=com > objectclass: nsContainer > objectclass: top > cn: custom_anonymous_limits > nsSizeLimit: 15000 > nsLookThroughLimit: 15000 > nsTimeLimit: 60 > > $ ldapadd -f custom_anonymous_limits.ldif > $ dsconf EXAMPLE-COM config replace > nsslapd-anonlimitsdn="cn=custom_anonymous_limits,cn=users,cn=accounts,dc=example,dc=com" > $ dsconf EXAMPLE-COM config get nsslapd-anonlimitsdn > nsslapd-anonlimitsdn: cn=custom_anonymous_limits,cn=etc,dc=example,dc=com > > ## after > $ ldapsearch -xLLL -H ldap://ipa.example.com <http://ipa.example.com> -b > cn=users,cn=accounts,dc=example,dc=com uid|grep ^uid|wc -l > 12500 > > > After the OS patch, the default limits and default user for > nsslapd-anonlimitsdn were restored. Our custom user still exists but > was no longer active: > > $ dsconf EXAMPLE-COM config get nsslapd-anonlimitsdn > nsslapd-anonlimitsdn: cn=anonymous-limits,cn=etc,dc=example,dc=com > > I had to reactivate our custom user manually: > $ dsconf EXAMPLE-COM config replace > nsslapd-anonlimitsdn="cn=custom_anonymous_limits,cn=users,cn=accounts,dc=example,dc=com" > > Is this a bug, or am I missing something? Any feedback would be > appreciated.
Whether this is a bug or not might be in the eye of the beholder. Here is what is happening. Since 2011 IPA has had an anonymous-limits user, cn=anonymous-limits,cn=etc,$SUFFIX, with the size and lookthrough limits set to 5000. There is an update file which is run on initial installation and on upgrades which sets only this single user as the anonymous limits user. So yes, it wipes out the nsslapd-anonlimitsdn you manually set and will do so on every invocation of ipa-server-upgrade (which is called during rpm updates). What I'd recommend doing, as the path of least resistance, is to use the IPA anonymous-limits user DN and bump the values in that user to the limits you desire. There is no functional difference to using your own user but there is less friction with the IPA default. The limit values you set will be unchanged on future updates and things should continue to work as expected. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
