| Summary: | SSSD: Intermittent LDAP paging errors | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | RHEL Program Management <pm-rhel> |
| Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 5.7 | CC: | bgollahe, cww, grajaiya, jgalipea, jhrozek, jr.aquino, kbanerje, msvoboda, pm-eus, prc, rnelson, sbose, sgallagh, ssorce |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.5.1-49.el5_8.1 | Doc Type: | Bug Fix |
| Doc Text: |
If an LDAP server had the paging control module installed but not enabled or if a highly loaded LDAP server was restricted to a single page search operation at the time, SSSD could unexpectedly deny simple paged search requests with the following error message:
Unexpected result from ldap: Server is unwilling to perform(53), Simple Paged Results Search already in progress on this connection.
This update implements the "ldap_disable_paging" option, which allows SSSD to disable the LDAP paging control. With this option set, the number of SSSD lookups is limited to the maximum defined by the LDAP server and SSSD no longer fails with the aforementioned error in this scenario.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-04-02 17:59:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 782221 | ||
| Bug Blocks: | |||
|
Description
RHEL Program Management
2012-03-26 08:01:46 UTC
Verified in version: # rpm -qi sssd | head Name : sssd Relocations: (not relocatable) Version : 1.5.1 Vendor: Red Hat, Inc. Release : 49.el5_8.1 Build Date: Mon 26 Mar 2012 12:01:47 PM EDT Install Date: Tue 27 Mar 2012 10:43:27 AM EDT Build Host: x86-004.build.bos.redhat.com Group : Applications/System Source RPM: sssd-1.5.1-49.el5_8.1.src.rpm Size : 3652059 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon Verified with the following test scenarios: 1. Disable paging on openldap server. Set "ldap_disable_paging = true" in sssd. Result: All objects are returned on lookup. 2. Disable paging on openldap server. Set "ldap_disable_paging = false" in sssd. Result: Lookup fails with error in log "[sdap_get_generic_done] (2): Unexpected result from ldap: Administrative limit exceeded(11), pagedResults control not allowed". 3. Enable paging on openldap server with pagesize=10. Set "ldap_disable_paging = false" and "ldap_page_size = 10" in sssd. Result: sssd fetches all objects with pagesize of 10. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0440.html
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
If an LDAP server had the paging control module installed but not enabled or if a highly loaded LDAP server was restricted to a single page search operation at the time, SSSD could unexpectedly deny simple paged search requests with the following error message:
Unexpected result from ldap: Server is unwilling to perform(53), Simple Paged Results Search already in progress on this connection.
This update implements the "ldap_disable_paging" option, which allows SSSD to disable the LDAP paging control. With this option set, the number of SSSD lookups is limited to the maximum defined by the LDAP server and SSSD no longer fails with the aforementioned error in this scenario.
|