Hi, all the ipa * calls use a search size limit and search time limit to avoid returning too many entries. In order to see those settings, you can do: # kinit admin # ipa config-show ... Search time limit: 2 Search size limit: 100 ... as explained here: https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html/accessing_identity_management_services/searching-ipa-entries_accessing-idm-services#adjusting-the-search-size-and-time-limit_search-ipa
If the ipa command doesn't work you can also use ldapsearch directly (replace dc=ipa,dc=test with your own suffix): # ldapsearch -LLL -Y GSSAPI -b cn=ipaConfig,cn=etc,dc=ipa,dc=test -s base ipasearchtimelimit ipasearchrecordslimit SASL/GSSAPI authentication started SASL username: ad...@ipa.test SASL SSF: 256 SASL data security layer installed. dn: cn=ipaConfig,cn=etc,dc=ipa,dc=test ipasearchtimelimit: 2 ipasearchrecordslimit: 100 The default value is 100 for the number of returned entries. flo On Wed, Sep 10, 2025 at 4:03 PM Ranbir via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I'm seeing an error I've never seen before and don't really understand. > I added our 34th AlmaLinux 9 IdM master to the topology. After I did > that, I can no longer run any ipa command or login to the web UI of any > member IdM master. > > For example: > > > $ ipa config-show > ipa: ERROR: Configured size limit exceeded > > > I see the same error when I login to the web UI. But, I also see: > > > Web UI got in unrecoverable state during "runtime" phase. > Technical details: > can't access property "ipapwdexpadvnotify", IPA.server_config is > undefined > > Followed by a ton of what look like javascript errors. > > Coincidentally, I blew up one of the masters by mistake yesterday. I > couldn't run "ipa server-del" because of the above error, so instead I > used ipa-replica-manage to delete the server. After I did that, the > "Configured size limit exceeded" errors disappeared, too. That's how I > know the error is tied to the number of masters going from 33 to 34. > > Do I have too many replication agreements? Is there a directory server > configuration that I need to modify? > > Any help would be appreciated. > > Thanks, > -- > Ranbir > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
