Rob, Thanks for your reply.
My predecessor had wrote code to pull user entries from the realm in order to verify that: 1.) A home directory is created (if not already) and apply the correct ownership; 2.) A work directory (Lustre) is created (if not already) and apply the correct ownership. Given what you've said, I'll perform a work-around within the code to get a list of active users from a database table vs. the current method. John DeSantis 2015-05-04 9:53 GMT-04:00 Rob Crittenden <[email protected]>: > John Desantis wrote: >> Hello all! >> >> I believe I may be falling victim to the nsslapd-sizelimit's default >> setting of 2,000. >> >> I've been wondering why some JSON calls to IPA (3.0.37, user_find) >> have been failing to show all user accounts in the results. Checking >> the FreeIPA admin UI, I can clearly find the users in question, but no >> matter what changes I set in the UI on the the console with search >> record limits and time limits, only 2,000 entries are ever returned. >> A final test this morning by adding an account via the UI did not >> augment the 2,000 entries returned in the user list; searching for >> the user on the console with 'ipa user-show y* --all' and via the >> search frame in the UI found the user. >> >> Looking over the documentation, it's stated that you can use the UI to >> update the limits. However, the limit is already set at 10,000 for >> the number of records to be returned, and the time limit is set at 60. >> The current dse.ldiff states that the nsslapd-sizelimit is 2,000. >> >> Is it possible that IPA isn't respecting this value since the constant >> number is 2,000? Is it safe to change this value via an ldapmodify? >> >> Thank you! >> John DeSantis >> > > Why do you need to return > 2000 users at one time? > > IPA purposely limits the number of entries returned by default (100) > specifically to discourage enumeration which is expensive. > > It is safe to modify this value using ldapmodify. Increasing the value > is not recommended. > > rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
