[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

On 02/19/2018 07:55 AM, Florence Blanc-Renaud wrote:

On 02/19/2018 12:01 PM, Bret Wortman via FreeIPA-users wrote:

On 02/16/2018 11:54 AM, Florence Blanc-Renaud wrote:

On 02/15/2018 06:42 PM, Bret Wortman via FreeIPA-users wrote:

On 02/15/2018 12:27 PM, Florence Blanc-Renaud wrote:

On 02/15/2018 05:01 PM, Bret Wortman via FreeIPA-users wrote:

On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote:

On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote:
On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users 
wrote:

On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote:



On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote:
On 02/15/2018 10:08 AM, Florence Blanc-Renaud via 
FreeIPA-users wrote:

On 02/14/2018 05:58 PM, Bret Wortman wrote:

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:
On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users 
wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what 
I'm expecting.


What I'm actually trying to do is move our whole 
infrastructure from one set of old & busted servers to 
some shiny new VMs. We'd like to extract the data and 
start fresh, as our replication agreements just don't 
seem to be working as expected. Changes to one don't 
always make it to the other and vice versa. While I'd 
love to dig in and solve that, it's easier right now to 
try to extract the data and reload it into a new server, 
build new replicas, then unbind & re-bind every client 
to the new server using ansible since we also lost our 
internal CA in the process.


So while our current configuration is a mess, we can't 
afford to lose all the host/user/dns/hbac data in our 
servers. Thus, I've been capturing the output to text 
using various ipa *-find commands and have parsers to 
turn those back into new entries on the fresh hosts. DNS 
is the only thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI 
always produces an error dialog whenever accessing our 
primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users 
wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
> wrote:



    the canonical way to do this is using ldap paging, 
with
    ldapsearch  you could try using the -E pr= 
parameter, where
     could be 1000 for instance. That way you know 
you are always

    under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to 
continue, nicer for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list 
--freeipa-users@lists.fedorahosted.org
To unsubscribe send an email 
tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org



Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the 
webGUI):

ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa 
*-find command.


HTH,
Flo



So I found almost all of these:

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config' 
cn=config | grep nsslapd-sizelimit

nsslapd-sizelimit: 2000

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=config,cn=ldbm database,cn=plugins,cn=config' | grep 
lookthroughlimit

nsslapd-lookthroughlimit: 10

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep 
ipaSearchRecordsLimit

ipaSearchRecordsLimit: 9

# ldapsearch -D 'cn=directory manager' -W -b 
'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | 
grep -i limit

(returns data but nothing matches)


Hi,

nsSizeLimit and nsLookThroughLimit are operational 
attributes, meaning that a standard ldapsearch will not 
return them. You need either to specifically request them 
by providing them in the attributes list:


$ ldapsearch -D 'cn=directory manager' -W -b $BASE 
nssizelimit nslookthroughlimit


or you can also specify + instead of the attributes in 
order to get all operational attributes:

$ ldapsearch -D 'cn=directory manager' -W -b $BASE +

HTH,
Flo

The first doesn't seem to be something I can change. It's 
stuck at 2000, but since my issue occurs at 5000, I'm not 
worried about it. I believe that I'm missing something in 
the fourth search that might point me toward the 
attributes you mentioned but I'm not 

[Freeipa-users] Re: Fixing limit on DNS searches

[Florence Blanc-Renaud via FreeIPA-users]

On 02/19/2018 12:01 PM, Bret Wortman via FreeIPA-users wrote:

On 02/16/2018 11:54 AM, Florence Blanc-Renaud wrote:

On 02/15/2018 06:42 PM, Bret Wortman via FreeIPA-users wrote:

On 02/15/2018 12:27 PM, Florence Blanc-Renaud wrote:

On 02/15/2018 05:01 PM, Bret Wortman via FreeIPA-users wrote:

On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote:

On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote:
On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users 
wrote:

On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote:



On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote:
On 02/15/2018 10:08 AM, Florence Blanc-Renaud via 
FreeIPA-users wrote:

On 02/14/2018 05:58 PM, Bret Wortman wrote:

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm 
expecting.


What I'm actually trying to do is move our whole 
infrastructure from one set of old & busted servers to 
some shiny new VMs. We'd like to extract the data and 
start fresh, as our replication agreements just don't seem 
to be working as expected. Changes to one don't always 
make it to the other and vice versa. While I'd love to dig 
in and solve that, it's easier right now to try to extract 
the data and reload it into a new server, build new 
replicas, then unbind & re-bind every client to the new 
server using ansible since we also lost our internal CA in 
the process.


So while our current configuration is a mess, we can't 
afford to lose all the host/user/dns/hbac data in our 
servers. Thus, I've been capturing the output to text 
using various ipa *-find commands and have parsers to turn 
those back into new entries on the fresh hosts. DNS is the 
only thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always 
produces an error dialog whenever accessing our primary 
zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users 
wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
> 
wrote:



    the canonical way to do this is using ldap paging, with
    ldapsearch  you could try using the -E pr= 
parameter, where
     could be 1000 for instance. That way you know 
you are always

    under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to 
continue, nicer for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list 
--freeipa-users@lists.fedorahosted.org
To unsubscribe send an email 
tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org



Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the 
webGUI):

ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa 
*-find command.


HTH,
Flo



So I found almost all of these:

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config' 
cn=config | grep nsslapd-sizelimit

nsslapd-sizelimit: 2000

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=config,cn=ldbm database,cn=plugins,cn=config' | grep 
lookthroughlimit

nsslapd-lookthroughlimit: 10

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep 
ipaSearchRecordsLimit

ipaSearchRecordsLimit: 9

# ldapsearch -D 'cn=directory manager' -W -b 
'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | 
grep -i limit

(returns data but nothing matches)


Hi,

nsSizeLimit and nsLookThroughLimit are operational 
attributes, meaning that a standard ldapsearch will not 
return them. You need either to specifically request them by 
providing them in the attributes list:


$ ldapsearch -D 'cn=directory manager' -W -b $BASE 
nssizelimit nslookthroughlimit


or you can also specify + instead of the attributes in order 
to get all operational attributes:

$ ldapsearch -D 'cn=directory manager' -W -b $BASE +

HTH,
Flo

The first doesn't seem to be something I can change. It's 
stuck at 2000, but since my issue occurs at 5000, I'm not 
worried about it. I believe that I'm missing something in 
the fourth search that might point me toward the attributes 
you mentioned but I'm not sure where.




The 5000 limit rings a bell to me. It is 

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

On 02/16/2018 11:54 AM, Florence Blanc-Renaud wrote:

On 02/15/2018 06:42 PM, Bret Wortman via FreeIPA-users wrote:

On 02/15/2018 12:27 PM, Florence Blanc-Renaud wrote:

On 02/15/2018 05:01 PM, Bret Wortman via FreeIPA-users wrote:

On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote:

On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote:
On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users 
wrote:

On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote:



On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote:
On 02/15/2018 10:08 AM, Florence Blanc-Renaud via 
FreeIPA-users wrote:

On 02/14/2018 05:58 PM, Bret Wortman wrote:

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm 
expecting.


What I'm actually trying to do is move our whole 
infrastructure from one set of old & busted servers to 
some shiny new VMs. We'd like to extract the data and 
start fresh, as our replication agreements just don't seem 
to be working as expected. Changes to one don't always 
make it to the other and vice versa. While I'd love to dig 
in and solve that, it's easier right now to try to extract 
the data and reload it into a new server, build new 
replicas, then unbind & re-bind every client to the new 
server using ansible since we also lost our internal CA in 
the process.


So while our current configuration is a mess, we can't 
afford to lose all the host/user/dns/hbac data in our 
servers. Thus, I've been capturing the output to text 
using various ipa *-find commands and have parsers to turn 
those back into new entries on the fresh hosts. DNS is the 
only thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always 
produces an error dialog whenever accessing our primary 
zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users 
wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
> 
wrote:



    the canonical way to do this is using ldap paging, with
    ldapsearch  you could try using the -E pr= 
parameter, where
     could be 1000 for instance. That way you know 
you are always

    under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to 
continue, nicer for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list 
--freeipa-users@lists.fedorahosted.org
To unsubscribe send an email 
tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org



Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the 
webGUI):

ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa 
*-find command.


HTH,
Flo



So I found almost all of these:

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config' 
cn=config | grep nsslapd-sizelimit

nsslapd-sizelimit: 2000

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=config,cn=ldbm database,cn=plugins,cn=config' | grep 
lookthroughlimit

nsslapd-lookthroughlimit: 10

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep 
ipaSearchRecordsLimit

ipaSearchRecordsLimit: 9

# ldapsearch -D 'cn=directory manager' -W -b 
'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | 
grep -i limit

(returns data but nothing matches)


Hi,

nsSizeLimit and nsLookThroughLimit are operational 
attributes, meaning that a standard ldapsearch will not 
return them. You need either to specifically request them by 
providing them in the attributes list:


$ ldapsearch -D 'cn=directory manager' -W -b $BASE 
nssizelimit nslookthroughlimit


or you can also specify + instead of the attributes in order 
to get all operational attributes:

$ ldapsearch -D 'cn=directory manager' -W -b $BASE +

HTH,
Flo

The first doesn't seem to be something I can change. It's 
stuck at 2000, but since my issue occurs at 5000, I'm not 
worried about it. I believe that I'm missing something in 
the fourth search that might point me toward the attributes 
you mentioned but I'm not sure where.




The 5000 limit rings a bell to me. It is the anonymous size 
limit. Can you check:
$ ldapsearch -D 

[Freeipa-users] Re: Fixing limit on DNS searches

[Givaldo Lins via FreeIPA-users]

Hey Florence

Your suggestion seems to be fixed the limit problem for my case. That is 
interesting because when checking the logs I see the search using my user cn 
but the anonymous-limit change was effective somehow.

Thank you all for your help.

—
Givaldo Lins

> On Feb 16, 2018, at 8:54 AM, Florence Blanc-Renaud via FreeIPA-users 
>  wrote:
> 
>> On 02/15/2018 06:42 PM, Bret Wortman via FreeIPA-users wrote:
>>> On 02/15/2018 12:27 PM, Florence Blanc-Renaud wrote:
 On 02/15/2018 05:01 PM, Bret Wortman via FreeIPA-users wrote:
> On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote:
>> On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote:
>>> On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
 On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote:
 
 
> On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote:
>> On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users 
>> wrote:
>>> On 02/14/2018 05:58 PM, Bret Wortman wrote:
 On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:
> On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:
> I did figure out that I can use
> 
> # ldapsearch -D 'directory manager' -W -E pr=2 -b 
> idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com
> 
> to list out all the entries, but the format isn't what I'm 
> expecting.
> 
> What I'm actually trying to do is move our whole infrastructure 
> from one set of old & busted servers to some shiny new VMs. We'd 
> like to extract the data and start fresh, as our replication 
> agreements just don't seem to be working as expected. Changes to 
> one don't always make it to the other and vice versa. While I'd 
> love to dig in and solve that, it's easier right now to try to 
> extract the data and reload it into a new server, build new 
> replicas, then unbind & re-bind every client to the new server 
> using ansible since we also lost our internal CA in the process.
> 
> So while our current configuration is a mess, we can't afford to 
> lose all the host/user/dns/hbac data in our servers. Thus, I've 
> been capturing the output to text using various ipa *-find 
> commands and have parsers to turn those back into new entries on 
> the fresh hosts. DNS is the only thing that's holding me up.
> 
> 
> Bret
> 
> 
>> On 02/14/2018 06:33 AM, Bret Wortman wrote:
>> 
>> Also, this doesn't solve the fact that the Web UI always 
>> produces an error dialog whenever accessing our primary zone.
>> 
>> 
>>> On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:
>>> 
>>> 
>>> On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
>>> > wrote:
>>> 
>>> 
>>> the canonical way to do this is using ldap paging, with
>>> ldapsearch  you could try using the -E pr= parameter, 
>>> where
>>>  could be 1000 for instance. That way you know you are 
>>> always
>>> under the limit imposed by the server.
>>> 
>>> 
>>> if you use -E pr=1000/noprompt, it will not prompt to continue, 
>>> nicer for scripts obviously.
>>> 
>>> -- 
>>> Groeten,
>>> natxo
>>> 
>>> 
>>> ___
>>> FreeIPA-users mailing list 
>>> --freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email 
>>> tofreeipa-users-le...@lists.fedorahosted.org
>> 
> 
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to 
> freeipa-users-le...@lists.fedorahosted.org
> 
 Hi Bret,
 
 the search limits can be set at multiple levels:
 - for the whole 389-ds server
 nsslapd-sizelimit (in cn=config)
 nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
 database,cn=plugins,cn=config)
 
 - for operations performed through ipa * commands (or the webGUI):
 ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)
 
 - for each user:

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

On 02/15/2018 12:27 PM, Florence Blanc-Renaud wrote:

On 02/15/2018 05:01 PM, Bret Wortman via FreeIPA-users wrote:

On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote:

On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote:

On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote:



On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote:
On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users 
wrote:

On 02/14/2018 05:58 PM, Bret Wortman wrote:

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm 
expecting.


What I'm actually trying to do is move our whole 
infrastructure from one set of old & busted servers to some 
shiny new VMs. We'd like to extract the data and start 
fresh, as our replication agreements just don't seem to be 
working as expected. Changes to one don't always make it to 
the other and vice versa. While I'd love to dig in and solve 
that, it's easier right now to try to extract the data and 
reload it into a new server, build new replicas, then unbind 
& re-bind every client to the new server using ansible since 
we also lost our internal CA in the process.


So while our current configuration is a mess, we can't 
afford to lose all the host/user/dns/hbac data in our 
servers. Thus, I've been capturing the output to text using 
various ipa *-find commands and have parsers to turn those 
back into new entries on the fresh hosts. DNS is the only 
thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always 
produces an error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
> 
wrote:



    the canonical way to do this is using ldap paging, with
    ldapsearch  you could try using the -E pr= 
parameter, where
     could be 1000 for instance. That way you know you 
are always

    under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to 
continue, nicer for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list 
--freeipa-users@lists.fedorahosted.org
To unsubscribe send an email 
tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org



Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the 
webGUI):

ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa 
*-find command.


HTH,
Flo



So I found almost all of these:

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config' 
cn=config | grep nsslapd-sizelimit

nsslapd-sizelimit: 2000

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=config,cn=ldbm database,cn=plugins,cn=config' | grep 
lookthroughlimit

nsslapd-lookthroughlimit: 10

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep 
ipaSearchRecordsLimit

ipaSearchRecordsLimit: 9

# ldapsearch -D 'cn=directory manager' -W -b 
'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | grep 
-i limit

(returns data but nothing matches)


Hi,

nsSizeLimit and nsLookThroughLimit are operational attributes, 
meaning that a standard ldapsearch will not return them. You 
need either to specifically request them by providing them in 
the attributes list:


$ ldapsearch -D 'cn=directory manager' -W -b $BASE nssizelimit 
nslookthroughlimit


or you can also specify + instead of the attributes in order to 
get all operational attributes:

$ ldapsearch -D 'cn=directory manager' -W -b $BASE +

HTH,
Flo

The first doesn't seem to be something I can change. It's 
stuck at 2000, but since my issue occurs at 5000, I'm not 
worried about it. I believe that I'm missing something in the 
fourth search that might point me toward the attributes you 
mentioned but I'm not sure where.




The 5000 limit rings a bell to me. It is the anonymous size 
limit. Can you check:
$ ldapsearch -D 'cn=directory manager' -W -b cn=config -s base 
nsslapd-anonlimitsdn


it will provide you with a DN of the entry defining 

[Freeipa-users] Re: Fixing limit on DNS searches

[Florence Blanc-Renaud via FreeIPA-users]

On 02/15/2018 05:01 PM, Bret Wortman via FreeIPA-users wrote:

On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote:

On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote:

On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote:



On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote:
On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users 
wrote:

On 02/14/2018 05:58 PM, Bret Wortman wrote:

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm 
expecting.


What I'm actually trying to do is move our whole 
infrastructure from one set of old & busted servers to some 
shiny new VMs. We'd like to extract the data and start fresh, 
as our replication agreements just don't seem to be working as 
expected. Changes to one don't always make it to the other and 
vice versa. While I'd love to dig in and solve that, it's 
easier right now to try to extract the data and reload it into 
a new server, build new replicas, then unbind & re-bind every 
client to the new server using ansible since we also lost our 
internal CA in the process.


So while our current configuration is a mess, we can't afford 
to lose all the host/user/dns/hbac data in our servers. Thus, 
I've been capturing the output to text using various ipa 
*-find commands and have parsers to turn those back into new 
entries on the fresh hosts. DNS is the only thing that's 
holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always 
produces an error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
> wrote:



    the canonical way to do this is using ldap paging, with
    ldapsearch  you could try using the -E pr= 
parameter, where
     could be 1000 for instance. That way you know you 
are always

    under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to 
continue, nicer for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list 
--freeipa-users@lists.fedorahosted.org
To unsubscribe send an email 
tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org



Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the webGUI):
ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa *-find 
command.


HTH,
Flo



So I found almost all of these:

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config' 
cn=config | grep nsslapd-sizelimit

nsslapd-sizelimit: 2000

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config,cn=ldbm 
database,cn=plugins,cn=config' | grep lookthroughlimit

nsslapd-lookthroughlimit: 10

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep 
ipaSearchRecordsLimit

ipaSearchRecordsLimit: 9

# ldapsearch -D 'cn=directory manager' -W -b 
'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | grep -i 
limit

(returns data but nothing matches)


Hi,

nsSizeLimit and nsLookThroughLimit are operational attributes, 
meaning that a standard ldapsearch will not return them. You need 
either to specifically request them by providing them in the 
attributes list:


$ ldapsearch -D 'cn=directory manager' -W -b $BASE nssizelimit 
nslookthroughlimit


or you can also specify + instead of the attributes in order to 
get all operational attributes:

$ ldapsearch -D 'cn=directory manager' -W -b $BASE +

HTH,
Flo

The first doesn't seem to be something I can change. It's stuck 
at 2000, but since my issue occurs at 5000, I'm not worried 
about it. I believe that I'm missing something in the fourth 
search that might point me toward the attributes you mentioned 
but I'm not sure where.




The 5000 limit rings a bell to me. It is the anonymous size limit. 
Can you check:
$ ldapsearch -D 'cn=directory manager' -W -b cn=config -s base 
nsslapd-anonlimitsdn


it will provide you with a DN of the entry defining the anonymous 
limits (usually 

[Freeipa-users] Re: Fixing limit on DNS searches

[Florence Blanc-Renaud via FreeIPA-users]

On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote:

On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote:



On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote:

On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 02/14/2018 05:58 PM, Bret Wortman wrote:

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm 
expecting.


What I'm actually trying to do is move our whole infrastructure 
from one set of old & busted servers to some shiny new VMs. We'd 
like to extract the data and start fresh, as our replication 
agreements just don't seem to be working as expected. Changes to 
one don't always make it to the other and vice versa. While I'd 
love to dig in and solve that, it's easier right now to try to 
extract the data and reload it into a new server, build new 
replicas, then unbind & re-bind every client to the new server 
using ansible since we also lost our internal CA in the process.


So while our current configuration is a mess, we can't afford to 
lose all the host/user/dns/hbac data in our servers. Thus, I've 
been capturing the output to text using various ipa *-find 
commands and have parsers to turn those back into new entries on 
the fresh hosts. DNS is the only thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always 
produces an error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
> wrote:



    the canonical way to do this is using ldap paging, with
    ldapsearch  you could try using the -E pr= parameter, 
where
     could be 1000 for instance. That way you know you are 
always

    under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to 
continue, nicer for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email 
tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org



Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the webGUI):
ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa *-find 
command.


HTH,
Flo



So I found almost all of these:

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config' cn=config 
| grep nsslapd-sizelimit

nsslapd-sizelimit: 2000

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config,cn=ldbm 
database,cn=plugins,cn=config' | grep lookthroughlimit

nsslapd-lookthroughlimit: 10

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep 
ipaSearchRecordsLimit

ipaSearchRecordsLimit: 9

# ldapsearch -D 'cn=directory manager' -W -b 
'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | grep -i 
limit

(returns data but nothing matches)


Hi,

nsSizeLimit and nsLookThroughLimit are operational attributes, 
meaning that a standard ldapsearch will not return them. You need 
either to specifically request them by providing them in the 
attributes list:


$ ldapsearch -D 'cn=directory manager' -W -b $BASE nssizelimit 
nslookthroughlimit


or you can also specify + instead of the attributes in order to get 
all operational attributes:

$ ldapsearch -D 'cn=directory manager' -W -b $BASE +

HTH,
Flo

The first doesn't seem to be something I can change. It's stuck at 
2000, but since my issue occurs at 5000, I'm not worried about it. 
I believe that I'm missing something in the fourth search that 
might point me toward the attributes you mentioned but I'm not 
sure where.




The 5000 limit rings a bell to me. It is the anonymous size limit. 
Can you check:
$ ldapsearch -D 'cn=directory manager' -W -b cn=config -s base 
nsslapd-anonlimitsdn


it will provide you with a DN of the entry defining the anonymous 
limits (usually cn=anonymous-limits,cn=etc,$BASEDN), then:


$ ldapsearch -D 'cn=directory manager' -W -b 
cn=anonymous-limits,cn=etc,$BASEDN nsSizeLimit 

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote:



On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote:

On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 02/14/2018 05:58 PM, Bret Wortman wrote:

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm 
expecting.


What I'm actually trying to do is move our whole infrastructure 
from one set of old & busted servers to some shiny new VMs. We'd 
like to extract the data and start fresh, as our replication 
agreements just don't seem to be working as expected. Changes to 
one don't always make it to the other and vice versa. While I'd 
love to dig in and solve that, it's easier right now to try to 
extract the data and reload it into a new server, build new 
replicas, then unbind & re-bind every client to the new server 
using ansible since we also lost our internal CA in the process.


So while our current configuration is a mess, we can't afford to 
lose all the host/user/dns/hbac data in our servers. Thus, I've 
been capturing the output to text using various ipa *-find 
commands and have parsers to turn those back into new entries on 
the fresh hosts. DNS is the only thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always 
produces an error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
> wrote:



    the canonical way to do this is using ldap paging, with
    ldapsearch  you could try using the -E pr= parameter, 
where
     could be 1000 for instance. That way you know you are 
always

    under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to 
continue, nicer for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email 
tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org



Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the webGUI):
ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa *-find 
command.


HTH,
Flo



So I found almost all of these:

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config' cn=config 
| grep nsslapd-sizelimit

nsslapd-sizelimit: 2000

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config,cn=ldbm 
database,cn=plugins,cn=config' | grep lookthroughlimit

nsslapd-lookthroughlimit: 10

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep 
ipaSearchRecordsLimit

ipaSearchRecordsLimit: 9

# ldapsearch -D 'cn=directory manager' -W -b 
'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | grep -i 
limit

(returns data but nothing matches)


Hi,

nsSizeLimit and nsLookThroughLimit are operational attributes, 
meaning that a standard ldapsearch will not return them. You need 
either to specifically request them by providing them in the 
attributes list:


$ ldapsearch -D 'cn=directory manager' -W -b $BASE nssizelimit 
nslookthroughlimit


or you can also specify + instead of the attributes in order to get 
all operational attributes:

$ ldapsearch -D 'cn=directory manager' -W -b $BASE +

HTH,
Flo

The first doesn't seem to be something I can change. It's stuck at 
2000, but since my issue occurs at 5000, I'm not worried about it. 
I believe that I'm missing something in the fourth search that 
might point me toward the attributes you mentioned but I'm not 
sure where.




The 5000 limit rings a bell to me. It is the anonymous size limit. 
Can you check:
$ ldapsearch -D 'cn=directory manager' -W -b cn=config -s base 
nsslapd-anonlimitsdn


it will provide you with a DN of the entry defining the anonymous 
limits (usually cn=anonymous-limits,cn=etc,$BASEDN), then:


$ ldapsearch -D 'cn=directory manager' -W -b 
cn=anonymous-limits,cn=etc,$BASEDN nsSizeLimit nsLookThroughLimit


Now we should check the access log 

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote:



On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote:

On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 02/14/2018 05:58 PM, Bret Wortman wrote:

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm 
expecting.


What I'm actually trying to do is move our whole infrastructure 
from one set of old & busted servers to some shiny new VMs. We'd 
like to extract the data and start fresh, as our replication 
agreements just don't seem to be working as expected. Changes to 
one don't always make it to the other and vice versa. While I'd 
love to dig in and solve that, it's easier right now to try to 
extract the data and reload it into a new server, build new 
replicas, then unbind & re-bind every client to the new server 
using ansible since we also lost our internal CA in the process.


So while our current configuration is a mess, we can't afford to 
lose all the host/user/dns/hbac data in our servers. Thus, I've 
been capturing the output to text using various ipa *-find 
commands and have parsers to turn those back into new entries on 
the fresh hosts. DNS is the only thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always 
produces an error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
> wrote:



    the canonical way to do this is using ldap paging, with
    ldapsearch  you could try using the -E pr= parameter, 
where
     could be 1000 for instance. That way you know you are 
always

    under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to 
continue, nicer for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email 
tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org



Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the webGUI):
ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa *-find 
command.


HTH,
Flo



So I found almost all of these:

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config' cn=config 
| grep nsslapd-sizelimit

nsslapd-sizelimit: 2000

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config,cn=ldbm 
database,cn=plugins,cn=config' | grep lookthroughlimit

nsslapd-lookthroughlimit: 10

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep 
ipaSearchRecordsLimit

ipaSearchRecordsLimit: 9

# ldapsearch -D 'cn=directory manager' -W -b 
'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | grep -i 
limit

(returns data but nothing matches)


Hi,

nsSizeLimit and nsLookThroughLimit are operational attributes, 
meaning that a standard ldapsearch will not return them. You need 
either to specifically request them by providing them in the 
attributes list:


$ ldapsearch -D 'cn=directory manager' -W -b $BASE nssizelimit 
nslookthroughlimit


or you can also specify + instead of the attributes in order to get 
all operational attributes:

$ ldapsearch -D 'cn=directory manager' -W -b $BASE +

HTH,
Flo

The first doesn't seem to be something I can change. It's stuck at 
2000, but since my issue occurs at 5000, I'm not worried about it. 
I believe that I'm missing something in the fourth search that 
might point me toward the attributes you mentioned but I'm not 
sure where.




The 5000 limit rings a bell to me. It is the anonymous size limit. 
Can you check:
$ ldapsearch -D 'cn=directory manager' -W -b cn=config -s base 
nsslapd-anonlimitsdn


it will provide you with a DN of the entry defining the anonymous 
limits (usually cn=anonymous-limits,cn=etc,$BASEDN), then:


$ ldapsearch -D 'cn=directory manager' -W -b 
cn=anonymous-limits,cn=etc,$BASEDN nsSizeLimit nsLookThroughLimit


Now we should check the access log 

[Freeipa-users] Re: Fixing limit on DNS searches

[Florence Blanc-Renaud via FreeIPA-users]

On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote:



On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote:

On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 02/14/2018 05:58 PM, Bret Wortman wrote:

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm expecting.

What I'm actually trying to do is move our whole infrastructure 
from one set of old & busted servers to some shiny new VMs. We'd 
like to extract the data and start fresh, as our replication 
agreements just don't seem to be working as expected. Changes to 
one don't always make it to the other and vice versa. While I'd 
love to dig in and solve that, it's easier right now to try to 
extract the data and reload it into a new server, build new 
replicas, then unbind & re-bind every client to the new server 
using ansible since we also lost our internal CA in the process.


So while our current configuration is a mess, we can't afford to 
lose all the host/user/dns/hbac data in our servers. Thus, I've 
been capturing the output to text using various ipa *-find 
commands and have parsers to turn those back into new entries on 
the fresh hosts. DNS is the only thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always produces 
an error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
> wrote:



    the canonical way to do this is using ldap paging, with
    ldapsearch  you could try using the -E pr= parameter, where
     could be 1000 for instance. That way you know you are 
always

    under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to continue, 
nicer for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email 
tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org



Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the webGUI):
ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa *-find 
command.


HTH,
Flo



So I found almost all of these:

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config' cn=config | 
grep nsslapd-sizelimit

nsslapd-sizelimit: 2000

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config,cn=ldbm 
database,cn=plugins,cn=config' | grep lookthroughlimit

nsslapd-lookthroughlimit: 10

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep 
ipaSearchRecordsLimit

ipaSearchRecordsLimit: 9

# ldapsearch -D 'cn=directory manager' -W -b 
'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | grep -i limit

(returns data but nothing matches)


Hi,

nsSizeLimit and nsLookThroughLimit are operational attributes, 
meaning that a standard ldapsearch will not return them. You need 
either to specifically request them by providing them in the 
attributes list:


$ ldapsearch -D 'cn=directory manager' -W -b $BASE nssizelimit 
nslookthroughlimit


or you can also specify + instead of the attributes in order to get 
all operational attributes:

$ ldapsearch -D 'cn=directory manager' -W -b $BASE +

HTH,
Flo

The first doesn't seem to be something I can change. It's stuck at 
2000, but since my issue occurs at 5000, I'm not worried about it. I 
believe that I'm missing something in the fourth search that might 
point me toward the attributes you mentioned but I'm not sure where.




The 5000 limit rings a bell to me. It is the anonymous size limit. Can 
you check:
$ ldapsearch -D 'cn=directory manager' -W -b cn=config -s base 
nsslapd-anonlimitsdn


it will provide you with a DN of the entry defining the anonymous 
limits (usually cn=anonymous-limits,cn=etc,$BASEDN), then:


$ ldapsearch -D 'cn=directory manager' -W -b 
cn=anonymous-limits,cn=etc,$BASEDN nsSizeLimit nsLookThroughLimit


Now we should check the access log (/var/log/dirsrv/slapd-xxx/access) 
corresponding to your command to retrieve the DNS entries, 

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote:

On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 02/14/2018 05:58 PM, Bret Wortman wrote:

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm expecting.

What I'm actually trying to do is move our whole infrastructure 
from one set of old & busted servers to some shiny new VMs. We'd 
like to extract the data and start fresh, as our replication 
agreements just don't seem to be working as expected. Changes to 
one don't always make it to the other and vice versa. While I'd 
love to dig in and solve that, it's easier right now to try to 
extract the data and reload it into a new server, build new 
replicas, then unbind & re-bind every client to the new server 
using ansible since we also lost our internal CA in the process.


So while our current configuration is a mess, we can't afford to 
lose all the host/user/dns/hbac data in our servers. Thus, I've 
been capturing the output to text using various ipa *-find 
commands and have parsers to turn those back into new entries on 
the fresh hosts. DNS is the only thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always produces 
an error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
> wrote:



    the canonical way to do this is using ldap paging, with
    ldapsearch  you could try using the -E pr= parameter, where
     could be 1000 for instance. That way you know you are 
always

    under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to continue, 
nicer for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email 
tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org



Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the webGUI):
ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa *-find 
command.


HTH,
Flo



So I found almost all of these:

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config' cn=config | 
grep nsslapd-sizelimit

nsslapd-sizelimit: 2000

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config,cn=ldbm 
database,cn=plugins,cn=config' | grep lookthroughlimit

nsslapd-lookthroughlimit: 10

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep 
ipaSearchRecordsLimit

ipaSearchRecordsLimit: 9

# ldapsearch -D 'cn=directory manager' -W -b 
'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | grep -i limit

(returns data but nothing matches)


Hi,

nsSizeLimit and nsLookThroughLimit are operational attributes, 
meaning that a standard ldapsearch will not return them. You need 
either to specifically request them by providing them in the 
attributes list:


$ ldapsearch -D 'cn=directory manager' -W -b $BASE nssizelimit 
nslookthroughlimit


or you can also specify + instead of the attributes in order to get 
all operational attributes:

$ ldapsearch -D 'cn=directory manager' -W -b $BASE +

HTH,
Flo

The first doesn't seem to be something I can change. It's stuck at 
2000, but since my issue occurs at 5000, I'm not worried about it. I 
believe that I'm missing something in the fourth search that might 
point me toward the attributes you mentioned but I'm not sure where.




The 5000 limit rings a bell to me. It is the anonymous size limit. Can 
you check:
$ ldapsearch -D 'cn=directory manager' -W -b cn=config -s base 
nsslapd-anonlimitsdn


it will provide you with a DN of the entry defining the anonymous 
limits (usually cn=anonymous-limits,cn=etc,$BASEDN), then:


$ ldapsearch -D 'cn=directory manager' -W -b 
cn=anonymous-limits,cn=etc,$BASEDN nsSizeLimit nsLookThroughLimit


Now we should check the access log (/var/log/dirsrv/slapd-xxx/access) 
corresponding to your command to retrieve the DNS entries, and ensure 
which user identity is actually performing the 

[Freeipa-users] Re: Fixing limit on DNS searches

[Alexander Bokovoy via FreeIPA-users]

On to, 15 helmi 2018, Florence Blanc-Renaud via FreeIPA-users wrote:

On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 02/14/2018 05:58 PM, Bret Wortman wrote:

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm expecting.

What I'm actually trying to do is move our whole 
infrastructure from one set of old & busted servers to some 
shiny new VMs. We'd like to extract the data and start fresh, 
as our replication agreements just don't seem to be working as 
expected. Changes to one don't always make it to the other and 
vice versa. While I'd love to dig in and solve that, it's 
easier right now to try to extract the data and reload it into 
a new server, build new replicas, then unbind & re-bind every 
client to the new server using ansible since we also lost our 
internal CA in the process.


So while our current configuration is a mess, we can't afford 
to lose all the host/user/dns/hbac data in our servers. Thus, 
I've been capturing the output to text using various ipa 
*-find commands and have parsers to turn those back into new 
entries on the fresh hosts. DNS is the only thing that's 
holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always 
produces an error dialog whenever accessing our primary 
zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
> 
wrote:



    the canonical way to do this is using ldap paging, with
    ldapsearch  you could try using the -E pr= parameter, where
     could be 1000 for instance. That way you know you are always
    under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to 
continue, nicer for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email 
tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org



Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the webGUI):
ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa *-find command.

HTH,
Flo



So I found almost all of these:

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config' cn=config 
| grep nsslapd-sizelimit

nsslapd-sizelimit: 2000

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config,cn=ldbm 
database,cn=plugins,cn=config' | grep lookthroughlimit

nsslapd-lookthroughlimit: 10

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep 
ipaSearchRecordsLimit

ipaSearchRecordsLimit: 9

# ldapsearch -D 'cn=directory manager' -W -b 
'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | grep -i 
limit

(returns data but nothing matches)


Hi,

nsSizeLimit and nsLookThroughLimit are operational attributes, 
meaning that a standard ldapsearch will not return them. You need 
either to specifically request them by providing them in the 
attributes list:


$ ldapsearch -D 'cn=directory manager' -W -b $BASE nssizelimit 
nslookthroughlimit


or you can also specify + instead of the attributes in order to get 
all operational attributes:

$ ldapsearch -D 'cn=directory manager' -W -b $BASE +

HTH,
Flo

The first doesn't seem to be something I can change. It's stuck at 
2000, but since my issue occurs at 5000, I'm not worried about it. 
I believe that I'm missing something in the fourth search that 
might point me toward the attributes you mentioned but I'm not 
sure where.




The 5000 limit rings a bell to me. It is the anonymous size limit. Can 
you check:
$ ldapsearch -D 'cn=directory manager' -W -b cn=config -s base 
nsslapd-anonlimitsdn


it will provide you with a DN of the entry defining the anonymous 
limits (usually cn=anonymous-limits,cn=etc,$BASEDN), then:


$ ldapsearch -D 'cn=directory manager' -W -b 
cn=anonymous-limits,cn=etc,$BASEDN nsSizeLimit nsLookThroughLimit


Now we should check the access log (/var/log/dirsrv/slapd-xxx/access) 
corresponding to your command to retrieve the DNS entries, and ensure 
which user identity is actually 

[Freeipa-users] Re: Fixing limit on DNS searches

[Florence Blanc-Renaud via FreeIPA-users]

On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 02/14/2018 05:58 PM, Bret Wortman wrote:

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm expecting.

What I'm actually trying to do is move our whole infrastructure from 
one set of old & busted servers to some shiny new VMs. We'd like to 
extract the data and start fresh, as our replication agreements just 
don't seem to be working as expected. Changes to one don't always 
make it to the other and vice versa. While I'd love to dig in and 
solve that, it's easier right now to try to extract the data and 
reload it into a new server, build new replicas, then unbind & 
re-bind every client to the new server using ansible since we also 
lost our internal CA in the process.


So while our current configuration is a mess, we can't afford to 
lose all the host/user/dns/hbac data in our servers. Thus, I've been 
capturing the output to text using various ipa *-find commands and 
have parsers to turn those back into new entries on the fresh hosts. 
DNS is the only thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always produces 
an error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
> wrote:



    the canonical way to do this is using ldap paging, with
    ldapsearch  you could try using the -E pr= parameter, where
     could be 1000 for instance. That way you know you are always
    under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to continue, 
nicer for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email 
tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org



Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the webGUI):
ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa *-find command.

HTH,
Flo



So I found almost all of these:

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config' cn=config | 
grep nsslapd-sizelimit

nsslapd-sizelimit: 2000

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config,cn=ldbm 
database,cn=plugins,cn=config' | grep lookthroughlimit

nsslapd-lookthroughlimit: 10

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep ipaSearchRecordsLimit

ipaSearchRecordsLimit: 9

# ldapsearch -D 'cn=directory manager' -W -b 
'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | grep -i limit

(returns data but nothing matches)


Hi,

nsSizeLimit and nsLookThroughLimit are operational attributes, meaning 
that a standard ldapsearch will not return them. You need either to 
specifically request them by providing them in the attributes list:


$ ldapsearch -D 'cn=directory manager' -W -b $BASE nssizelimit 
nslookthroughlimit


or you can also specify + instead of the attributes in order to get all 
operational attributes:

$ ldapsearch -D 'cn=directory manager' -W -b $BASE +

HTH,
Flo

The first doesn't seem to be something I can change. It's stuck at 
2000, but since my issue occurs at 5000, I'm not worried about it. I 
believe that I'm missing something in the fourth search that might 
point me toward the attributes you mentioned but I'm not sure where.




The 5000 limit rings a bell to me. It is the anonymous size limit. Can 
you check:
$ ldapsearch -D 'cn=directory manager' -W -b cn=config -s base 
nsslapd-anonlimitsdn


it will provide you with a DN of the entry defining the anonymous limits 
(usually cn=anonymous-limits,cn=etc,$BASEDN), then:


$ ldapsearch -D 'cn=directory manager' -W -b 
cn=anonymous-limits,cn=etc,$BASEDN nsSizeLimit nsLookThroughLimit


Now we should check the access log (/var/log/dirsrv/slapd-xxx/access) 
corresponding to your command to retrieve the DNS entries, and ensure 
which user identity is actually performing the search.


Flo



___

[Freeipa-users] Re: Fixing limit on DNS searches

[Rob Crittenden via FreeIPA-users]

Bret Wortman via FreeIPA-users wrote:
> I did figure out that I can use
> 
> # ldapsearch -D 'directory manager' -W -E pr=2 -b
> idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com
> 
> to list out all the entries, but the format isn't what I'm expecting.
> 
> What I'm actually trying to do is move our whole infrastructure from one
> set of old & busted servers to some shiny new VMs. We'd like to extract
> the data and start fresh, as our replication agreements just don't seem
> to be working as expected. Changes to one don't always make it to the
> other and vice versa. While I'd love to dig in and solve that, it's
> easier right now to try to extract the data and reload it into a new
> server, build new replicas, then unbind & re-bind every client to the
> new server using ansible since we also lost our internal CA in the process.
> 
> So while our current configuration is a mess, we can't afford to lose
> all the host/user/dns/hbac data in our servers. Thus, I've been
> capturing the output to text using various ipa *-find commands and have
> parsers to turn those back into new entries on the fresh hosts. DNS is
> the only thing that's holding me up.

I almost wonder if you'd be better off massaging an LDIF to achieve
this. It could be rather horrible but it may be easier in the long-run
and it'd just be one big text file to tweak.

You probably will need to exclude some attributes (createdby,
nsuniqueid, etc) but off the top of my head I think it might be
otherwise straightforward.

rob

> 
> 
> Bret
> 
> 
> On 02/14/2018 06:33 AM, Bret Wortman wrote:
>>
>> Also, this doesn't solve the fact that the Web UI always produces an
>> error dialog whenever accessing our primary zone.
>>
>>
>> On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:
>>>
>>>
>>> On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo >> > wrote:
>>>
>>>
>>> the canonical way to do this is using ldap paging, with
>>> ldapsearch  you could try using the -E pr= parameter, where
>>>  could be 1000 for instance. That way you know you are always
>>> under the limit imposed by the server.
>>>
>>>
>>> if you use -E pr=1000/noprompt, it will not prompt to continue, nicer
>>> for scripts obviously.
>>>
>>> --
>>> Groeten,
>>> natxo
>>>
>>>
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>
> 
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote:

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm expecting.

What I'm actually trying to do is move our whole infrastructure from 
one set of old & busted servers to some shiny new VMs. We'd like to 
extract the data and start fresh, as our replication agreements just 
don't seem to be working as expected. Changes to one don't always 
make it to the other and vice versa. While I'd love to dig in and 
solve that, it's easier right now to try to extract the data and 
reload it into a new server, build new replicas, then unbind & 
re-bind every client to the new server using ansible since we also 
lost our internal CA in the process.


So while our current configuration is a mess, we can't afford to lose 
all the host/user/dns/hbac data in our servers. Thus, I've been 
capturing the output to text using various ipa *-find commands and 
have parsers to turn those back into new entries on the fresh hosts. 
DNS is the only thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always produces an 
error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
> wrote:



    the canonical way to do this is using ldap paging, with
    ldapsearch  you could try using the -E pr= parameter, where
     could be 1000 for instance. That way you know you are always
    under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to continue, 
nicer for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email 
tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org



Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the webGUI):
ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa *-find command.

HTH,
Flo



So I found almost all of these:

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config' cn=config | 
grep nsslapd-sizelimit

nsslapd-sizelimit: 2000

# ldapsearch -D 'cn=directory manager' -W -b 'cn=config,cn=ldbm 
database,cn=plugins,cn=config' | grep lookthroughlimit

nsslapd-lookthroughlimit: 10

# ldapsearch -D 'cn=directory manager' -W -b 
'cn=ipaConfig,cn=etc,dc=damascusgrp,dc=com' | grep ipaSearchRecordsLimit

ipaSearchRecordsLimit: 9

# ldapsearch -D 'cn=directory manager' -W -b 
'uid=admin,cn=users,cn=accounts,dc=damascusgrp,dc=com' | grep -i limit

(returns data but nothing matches)

The first doesn't seem to be something I can change. It's stuck at 2000, 
but since my issue occurs at 5000, I'm not worried about it. I believe 
that I'm missing something in the fourth search that might point me 
toward the attributes you mentioned but I'm not sure where.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Florence Blanc-Renaud via FreeIPA-users]

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote:

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm expecting.

What I'm actually trying to do is move our whole infrastructure from one 
set of old & busted servers to some shiny new VMs. We'd like to extract 
the data and start fresh, as our replication agreements just don't seem 
to be working as expected. Changes to one don't always make it to the 
other and vice versa. While I'd love to dig in and solve that, it's 
easier right now to try to extract the data and reload it into a new 
server, build new replicas, then unbind & re-bind every client to the 
new server using ansible since we also lost our internal CA in the process.


So while our current configuration is a mess, we can't afford to lose 
all the host/user/dns/hbac data in our servers. Thus, I've been 
capturing the output to text using various ipa *-find commands and have 
parsers to turn those back into new entries on the fresh hosts. DNS is 
the only thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always produces an 
error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo > wrote:



the canonical way to do this is using ldap paging, with
ldapsearch  you could try using the -E pr= parameter, where
 could be 1000 for instance. That way you know you are always
under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to continue, nicer 
for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org






___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Hi Bret,

the search limits can be set at multiple levels:
- for the whole 389-ds server
nsslapd-sizelimit (in cn=config)
nsslapd-lookthroughlimit (in cn=config,cn=ldbm 
database,cn=plugins,cn=config)


- for operations performed through ipa * commands (or the webGUI):
ipaSearchRecordsLimit (in cn=ipaConfig,cn=etc,$BASEDN)

- for each user:
nssizelimit and nsLookThroughLimit attributes (in 
uid=$USER,cn=users,cn=accounts,$BASEDN)


You are probably hitting one of these limits in your ipa *-find command.

HTH,
Flo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

I did figure out that I can use

# ldapsearch -D 'directory manager' -W -E pr=2 -b 
idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com


to list out all the entries, but the format isn't what I'm expecting.

What I'm actually trying to do is move our whole infrastructure from one 
set of old & busted servers to some shiny new VMs. We'd like to extract 
the data and start fresh, as our replication agreements just don't seem 
to be working as expected. Changes to one don't always make it to the 
other and vice versa. While I'd love to dig in and solve that, it's 
easier right now to try to extract the data and reload it into a new 
server, build new replicas, then unbind & re-bind every client to the 
new server using ansible since we also lost our internal CA in the process.


So while our current configuration is a mess, we can't afford to lose 
all the host/user/dns/hbac data in our servers. Thus, I've been 
capturing the output to text using various ipa *-find commands and have 
parsers to turn those back into new entries on the fresh hosts. DNS is 
the only thing that's holding me up.



Bret


On 02/14/2018 06:33 AM, Bret Wortman wrote:


Also, this doesn't solve the fact that the Web UI always produces an 
error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo > wrote:



the canonical way to do this is using ldap paging, with
ldapsearch  you could try using the -E pr= parameter, where
 could be 1000 for instance. That way you know you are always
under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to continue, nicer 
for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org




___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

Also, this doesn't solve the fact that the Web UI always produces an 
error dialog whenever accessing our primary zone.



On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo > wrote:



the canonical way to do this is using ldap paging, with
ldapsearch  you could try using the -E pr= parameter, where
 could be 1000 for instance. That way you know you are always
under the limit imposed by the server.


if you use -E pr=1000/noprompt, it will not prompt to continue, nicer 
for scripts obviously.


--
Groeten,
natxo


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

I pulled up our dse.ldif and we've got:

nsslapd-sizelimit: 9

and

nsslapd-lookthroughlimit: 9
nsslapd-idlistscanlimit: 9

So I'm still not sure why I'm being limited to 5000 in my query 
response. In fact, the number 5000 doesn't exist in dse.ldif at all.


BTW, I misspoke in my original post -- "searchlimit" should read, 
"sizelimit".



Bret

On 02/13/2018 01:09 PM, Rob Crittenden wrote:

Bret Wortman via FreeIPA-users wrote:

I've run up against a limit I can't seem to adjust.

When listing a particular DNS zone which has well over 5000 hosts in it,
we keep getting "Search result has been truncated: Configured
administrative server limit exceeded."

I've tried fixing this in a number of ways. We've shut down the
services, edited dse.ldif to raise nsslapd-searchlimit to 9 and
restarted, but:

#ldapsearch -D 'cn=directory manager' -W -b cn=config cn=config | grep
nsslapd-sizelimit
snsslapd-sizelimit: 2000

What do I need to do to be able to list all my DNS entries for this
zone? This 5000 limit is enforced through the CLI as well, as "ipa
dnsrecord-find damascusgrp.com --sizelimit=9" will only return 5000
entries. I know it's taxing and intensive, but I need to be able to
query the WHOLE set of records we have without this restriction.

How can I get around this?

Have you looked at
http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html

rob

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

Thanks. Is it possible to list the DNS entries using ldapsearch? I've 
been using:


# ipa dnsrecord-find --all


On 02/13/2018 02:13 PM, Natxo Asenjo via FreeIPA-users wrote:



On Tue, Feb 13, 2018 at 3:33 PM, Bret Wortman via FreeIPA-users 
> wrote:


I've run up against a limit I can't seem to adjust.

When listing a particular DNS zone which has well over 5000 hosts
in it, we keep getting "Search result has been truncated:
Configured administrative server limit exceeded."

I've tried fixing this in a number of ways. We've shut down the
services, edited dse.ldif to raise nsslapd-searchlimit to 9
and restarted, but:


the canonical way to do this is using ldap paging, with ldapsearch  
you could try using the -E pr= parameter, where  could be 1000 
for instance. That way you know you are always under the limit imposed 
by the server.


If you set pr= to higher than 5000 then it should give all the 
results in one go.



--
Groeten,
natxo


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Natxo Asenjo via FreeIPA-users]

On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
wrote:

>
> the canonical way to do this is using ldap paging, with ldapsearch  you
> could try using the -E pr= parameter, where  could be 1000 for
> instance. That way you know you are always under the limit imposed by the
> server.
>
>
if you use -E pr=1000/noprompt, it will not prompt to continue, nicer for
scripts obviously.

--
Groeten,
natxo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Natxo Asenjo via FreeIPA-users]

On Tue, Feb 13, 2018 at 3:33 PM, Bret Wortman via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> I've run up against a limit I can't seem to adjust.
>
> When listing a particular DNS zone which has well over 5000 hosts in it,
> we keep getting "Search result has been truncated: Configured
> administrative server limit exceeded."
>
> I've tried fixing this in a number of ways. We've shut down the services,
> edited dse.ldif to raise nsslapd-searchlimit to 9 and restarted, but:
>

the canonical way to do this is using ldap paging, with ldapsearch  you
could try using the -E pr= parameter, where  could be 1000 for
instance. That way you know you are always under the limit imposed by the
server.

If you set pr= to higher than 5000 then it should give all the results
in one go.


--
Groeten,
natxo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

Looking at it now.


On 02/13/2018 01:09 PM, Rob Crittenden wrote:

Bret Wortman via FreeIPA-users wrote:

I've run up against a limit I can't seem to adjust.

When listing a particular DNS zone which has well over 5000 hosts in it,
we keep getting "Search result has been truncated: Configured
administrative server limit exceeded."

I've tried fixing this in a number of ways. We've shut down the
services, edited dse.ldif to raise nsslapd-searchlimit to 9 and
restarted, but:

#ldapsearch -D 'cn=directory manager' -W -b cn=config cn=config | grep
nsslapd-sizelimit
snsslapd-sizelimit: 2000

What do I need to do to be able to list all my DNS entries for this
zone? This 5000 limit is enforced through the CLI as well, as "ipa
dnsrecord-find damascusgrp.com --sizelimit=9" will only return 5000
entries. I know it's taxing and intensive, but I need to be able to
query the WHOLE set of records we have without this restriction.

How can I get around this?

Have you looked at
http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html

rob

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Rob Crittenden via FreeIPA-users]

Bret Wortman via FreeIPA-users wrote:
> I've run up against a limit I can't seem to adjust.
> 
> When listing a particular DNS zone which has well over 5000 hosts in it,
> we keep getting "Search result has been truncated: Configured
> administrative server limit exceeded."
> 
> I've tried fixing this in a number of ways. We've shut down the
> services, edited dse.ldif to raise nsslapd-searchlimit to 9 and
> restarted, but:
> 
> #ldapsearch -D 'cn=directory manager' -W -b cn=config cn=config | grep
> nsslapd-sizelimit
> snsslapd-sizelimit: 2000
> 
> What do I need to do to be able to list all my DNS entries for this
> zone? This 5000 limit is enforced through the CLI as well, as "ipa
> dnsrecord-find damascusgrp.com --sizelimit=9" will only return 5000
> entries. I know it's taxing and intensive, but I need to be able to
> query the WHOLE set of records we have without this restriction.
> 
> How can I get around this?

Have you looked at
http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org