On 10/25/2012 08:33 PM, Steven Jones wrote:
I hadnt restarted but now I have, no difference.

wc -l says 10000 but every other line is a blank, so yes 5000 seems likely.

There are just under 6000 AD users....2 servers as this is in the test 
environment to test winsync and passync....both are working as far as I can 
tell with the backported rpms.
Ok.  You may be running into https://fedorahosted.org/389/ticket/446

I believe ipa enables the anonymous limits feature. I suggest increasing these limits.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rich Megginson [rmegg...@redhat.com]
Sent: Friday, 26 October 2012 3:22 p.m.
To: Steven Jones
Subject: Re: [Freeipa-users] ipa user-find

On 10/25/2012 07:30 PM, Steven Jones wrote:
40000
Both idlistscanlimit and lookthroughlimit?  And you're still hitting a
limit of 5000 entries?
How many entries in your database?
Have you tried restarting dirsrv?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rich Megginson [rmegg...@redhat.com]
Sent: Friday, 26 October 2012 2:22 p.m.
To: Steven Jones
Subject: Re: [Freeipa-users] ipa user-find

On 10/25/2012 07:14 PM, Steven Jones wrote:
Hi,

Screenshot of access log output attached.
You increased the idlistscanlimit and lookthroughlimit?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rich Megginson [rmegg...@redhat.com]
Sent: Friday, 26 October 2012 10:24 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa user-find

On 10/25/2012 02:46 PM, Steven Jones wrote:
Hi,

yes figured it....

even at 20000 Im still getting an administrative size limit exceeded (11)
This means you're either hitting the lookthroughlimit and/or the
idlistscanlimit.

The idlistscanlimit is described here -
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Database_Plug_in_Attributes.html#nsslapd_idlistscanlimit

I suggest changing the value to be 2 times as large as the number of
entries in your database, just to be safe:

ldapmodify -x -D "cn=directory manager" -W<<EOF
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-idlistscanlimit
nsslapd-idlistscanlimit: a big number
EOF

If you still have a problem, it means ipa is doing an unindexed search,
and you will have to increase the lookthroughlimit for the ipa admin
user.  I'm not sure how/where ipa does that.  You can set the global
limit for all users like this:

ldapmodify -x -D "cn=directory manager" -W<<EOF
dn: cn=config
changetype: modify
replace: nsslapd-lookthroughlimit
nsslapd-lookthroughlimit: a big number
EOF

In case you are wondering what all of this gibberish is

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Indexes.html#About_Indexes-Overview_of_the_Searching_Algorithm

When the directory server cannot load the IDs of the search results into
an ID list, either due to hitting the idlistscanlimit, or the search is
unindexed (and therefore there is no index to load the ID list), the
server must fall back to searching through every entry in the database.
It will only look through nsslapd-lookthroughlimit number of entries
before giving up and returning err=11.

Can you take a look at the directory server access log at
/var/log/dirsrv/slapd-INST/access and look for the corresponding SRCH
operation and the RESULT of that search operation and please post it?

:(

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rich Megginson [rmegg...@redhat.com]
Sent: Friday, 26 October 2012 9:44 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa user-find

On 10/25/2012 02:37 PM, Steven Jones wrote:
Hi,

Ive tried,

dn: cn=default instance config,cn=config,cn=plugins

and,

dn: cn=default instance config,cn=config,cn=plugins,cn=config
Try
dn: cn=config
and get no such  object (32)

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Thursday, 25 October 2012 4:16 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa user-find

Steven Jones wrote:
Hi,

How do I bind as the directory manager?  Ive tried and I cant figure out how.
Assuming you're running on the same host as IPA:

$ ldapmodify -x -D 'cn=directory manager' -W
dn: cn=default instance config,cn=chaining database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-sizelimit
nsslapd-sizelimit: 8000

^D

And yes, that's an extra blank line after 8000.

and how do I get the web ui to return all users so I can see if the winsync is 
working , its a test bed so I need to do a side by side comparison....
You'll need to modify the size limit in the IPA configuration screen.
IPA Server ->      Configuration ->      Search size limit

rob

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Thursday, 25 October 2012 3:40 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa user-find

Steven Jones wrote:
When doing the above it only returns 2000, I have 6000

How to get it to return 6000+?
There are two size limits. One is a global limit in 389-ds-base,
nsslapd-sizelimit which defaults to 2000.

IPA has its own search limit which you can also set globally, or
override it on the command line (which I'll do below).

You'll need to bind as Directory Manager to change nsslapd-sizelimit
then you can run:

ipa user-find --sizelimit=8000

I don't believe any services need to be restarted for this to take effect.

We generally discourage enumerating all entries for performance reasons
which is why by default the IPA size limit is 100.

rob



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to