Hello all!

I believe I may be falling victim to the nsslapd-sizelimit's default
setting of 2,000.

I've been wondering why some JSON calls to IPA (3.0.37, user_find)
have been failing to show all user accounts in the results.  Checking
the FreeIPA admin UI, I can clearly find the users in question, but no
matter what changes I set in the UI on the the console with search
record limits and time limits, only 2,000 entries are ever returned.
A final test this morning by adding an account via the UI did not
augment the 2,000 entries returned in the user list;  searching for
the user on the console with 'ipa user-show y* --all' and via the
search frame in the UI found the user.

Looking over the documentation, it's stated that you can use the UI to
update the limits.  However, the limit is already set at 10,000 for
the number of records to be returned, and the time limit is set at 60.
The current dse.ldiff states that the nsslapd-sizelimit is 2,000.

Is it possible that IPA isn't respecting this value since the constant
number is 2,000?  Is it safe to change this value via an ldapmodify?

Thank you!
John DeSantis

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to