Re: [Freeipa-users] Can't set nsslapd-sizelimit
On 05/17/2016 12:49 PM, Ludwig Krispenz wrote: On 05/16/2016 11:19 PM, Giuseppe Sarno wrote: Hello, I am new to freeIPA and I am recently working on a project to integrate freeIPA with some legacy application which uses LDAP for user management. I have initially created our own ldap structure and I tried to run the code against freeIPA/389DS. While running this example I noticed that 389DS takes quite some time to load profile data from the different ldap nodes (~2000 entries). In a previous prototype using OpenDJ we had to increase the parameter ds-cfg-size-limit: to ~1000 with good results. I am wondering now whether we can do the same for the freeIPA/389DS server. I found the following pages but I could not work out what the exact command should be to modify those parameters. https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html I attempted the following but received a ObjectClass violation: [centos@ldap-389ds-ireland ~]$ ldapmodify -h ldap-389ds-ip -D "cn=Directory Manager" -w '' -f slimit modifying entry "dc=ldap,dc=adeptra,dc=com" ldap_modify: Object class violation (65) additional info: attribute "nsslapd-sizelimit" not allowed slimit: dn: dc=ldap,dc=example,dc=com changetype: modify add:nsslapd-sizelimit nsslapd-sizelimit: 1000 I also attempted using a user dn but with the same result. the example in the doc is unfortunately incorrect, in the latest doc it is corected: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Finding_Directory_Entries.html#Setting_Resource_Limits_Based_on_the_Bind_DN-Setting_Resource_Limits_Using_the_Command_Line nsslapd-sizelimit is the general limit in cn=config, the attribute per user is nsSizeLimit ( as used in the text in teh doc). And you have to add it to a user used for binding Can anybody help ? Thanks, Giuseppe. Fair Isaac Services Limited (Co. No. 01998476) and Fair Isaac (Adeptra) Limited (Co. No. 03295455) are registered in England and Wales and have a registered office address of Cottons Centre, 5th Floor, Hays Lane, London, SE1 2QP. This email and any files transmitted with it are confidential, proprietary and intended solely for the individual or entity to whom they are addressed. If you have received this email in error please delete it immediately. -- Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't set nsslapd-sizelimit
On 05/16/2016 11:19 PM, Giuseppe Sarno wrote: Hello, I am new to freeIPA and I am recently working on a project to integrate freeIPA with some legacy application which uses LDAP for user management. I have initially created our own ldap structure and I tried to run the code against freeIPA/389DS. While running this example I noticed that 389DS takes quite some time to load profile data from the different ldap nodes (~2000 entries). In a previous prototype using OpenDJ we had to increase the parameter ds-cfg-size-limit: to ~1000 with good results. I am wondering now whether we can do the same for the freeIPA/389DS server. I found the following pages but I could not work out what the exact command should be to modify those parameters. https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html I attempted the following but received a ObjectClass violation: [centos@ldap-389ds-ireland ~]$ ldapmodify -h ldap-389ds-ip -D "cn=Directory Manager" -w '' -f slimit modifying entry "dc=ldap,dc=adeptra,dc=com" ldap_modify: Object class violation (65) additional info: attribute "nsslapd-sizelimit" not allowed slimit: dn: dc=ldap,dc=example,dc=com changetype: modify add:nsslapd-sizelimit nsslapd-sizelimit: 1000 I also attempted using a user dn but with the same result. the example in the doc is unfortunately incorrect, nsslapd-sizelimit is the general limit in cn=config, the attribute per user is nsSizeLimit ( as used in the text in teh doc). And you have to add it to a user used for binding Can anybody help ? Thanks, Giuseppe. Fair Isaac Services Limited (Co. No. 01998476) and Fair Isaac (Adeptra) Limited (Co. No. 03295455) are registered in England and Wales and have a registered office address of Cottons Centre, 5th Floor, Hays Lane, London, SE1 2QP. This email and any files transmitted with it are confidential, proprietary and intended solely for the individual or entity to whom they are addressed. If you have received this email in error please delete it immediately. -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't set nsslapd-sizelimit
On 16.5.2016 23:19, Giuseppe Sarno wrote: > Hello, > I am new to freeIPA and I am recently working on a project to integrate > freeIPA with some legacy application which uses LDAP for user management. > I have initially created our own ldap structure and I tried to run the code > against freeIPA/389DS. While running this example I noticed that 389DS takes > quite some time to load profile data from the different ldap nodes (~2000 > entries). In a previous prototype using OpenDJ we had to increase the > parameter ds-cfg-size-limit: to ~1000 with good results. I am wondering now > whether we can do the same for the freeIPA/389DS server. I found the > following pages but I could not work out what the exact command should be to > modify those parameters. > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html > > http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html > > I attempted the following but received a ObjectClass violation: > > [centos@ldap-389ds-ireland ~]$ ldapmodify -h ldap-389ds-ip -D "cn=Directory > Manager" -w '' -f slimit > modifying entry "dc=ldap,dc=adeptra,dc=com" > ldap_modify: Object class violation (65) > additional info: attribute "nsslapd-sizelimit" not allowed System-wide config is stored in "cn=config". For further details please see https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Finding_Directory_Entries.html#Setting_Resource_Limits_Based_on_the_Bind_DN-Setting_Resource_Limits_Using_the_Command_Line Petr^2 Spacek > slimit: > dn: dc=ldap,dc=example,dc=com > changetype: modify > add:nsslapd-sizelimit > nsslapd-sizelimit: 1000 > > I also attempted using a user dn but with the same result. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't set nsslapd-sizelimit
On 05/16/2016 11:19 PM, Giuseppe Sarno wrote: Hello, I am new to freeIPA and I am recently working on a project to integrate freeIPA with some legacy application which uses LDAP for user management. I have initially created our own ldap structure and I tried to run the code against freeIPA/389DS. While running this example I noticed that 389DS takes quite some time to load profile data from the different ldap nodes (~2000 entries). In a previous prototype using OpenDJ we had to increase the parameter ds-cfg-size-limit: to ~1000 with good results. I am wondering now whether we can do the same for the freeIPA/389DS server. I found the following pages but I could not work out what the exact command should be to modify those parameters. https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html I attempted the following but received a ObjectClass violation: [centos@ldap-389ds-ireland ~]$ ldapmodify -h ldap-389ds-ip -D "cn=Directory Manager" -w '' -f slimit modifying entry "dc=ldap,dc=adeptra,dc=com" ldap_modify: Object class violation (65) additional info: attribute "nsslapd-sizelimit" not allowed slimit: dn: dc=ldap,dc=example,dc=com changetype: modify add:nsslapd-sizelimit nsslapd-sizelimit: 1000 I also attempted using a user dn but with the same result. Can anybody help ? Thanks, Giuseppe. Fair Isaac Services Limited (Co. No. 01998476) and Fair Isaac (Adeptra) Limited (Co. No. 03295455) are registered in England and Wales and have a registered office address of Cottons Centre, 5th Floor, Hays Lane, London, SE1 2QP. This email and any files transmitted with it are confidential, proprietary and intended solely for the individual or entity to whom they are addressed. If you have received this email in error please delete it immediately. Hi Guiseppe, the best way to tweak directory server configuration is this: 1.) stop directory server (systemctl stop dirsrv@EXAMPLE-COM 2.) edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif file: locate the nsslapd-sizelimit entry and change the value 3.) start directory server (systemctl start dirsrv@EXAMPLE-COM) You should see the new value if you search for it in the 'cn=config' subtree which hosts the configuration (not the dc=example,dc=com suffix you use). -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project