Bug 864594

Summary: anonymous limits are being applied to directory manager
Product: Red Hat Enterprise Linux 6 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Sankar Ramalingam <sramling>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.4CC: jgalipea, mkubik, mreynolds, nkinder
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Setting anonymous resource limits Consequence: The anonymous limits are incorrectly applied to the root DN Fix: Ensure the anonymous resource limits are removed for root DN binds. Result: Root DN does not hit the resource limits when doing searches.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:21:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Noriko Hosoi 2012-10-09 17:28:22 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/446

Performing an ldapsearch in 389-ds-base-1.2.10.14-1.fc16.x86_64 in a container with > 5000 entries errors with result: 11 Administrative limit exceeded.

The dse.ldif is set for appropriately high limits.  I am using the Directory Manager user to perform the search.  The search is being performed locally but the limit is still getting hit
Comment 1 Nathan Kinder 2012-10-09 17:52:56 UTC 
From the trac ticket:

--------------------------------------------------
Here are the exact steps to reproduce the issue:

[1] Add the resource limit entry:

dn: cn=anonymous limits,dc=example,dc=com
cn: anonymous limits
objectClass: top
objectClass: nscontainer
nsLookThroughLimit: 5000

[2] Then add this to cn=config:

nsslapd-anonlimitsdn: cn=anonymous limits,dc=example,dc=com

[3] Add 5001 entries

[4] do a ldapsearch for objectclass=*:

ldapsearch -D "cn=directory manager" -w password -xLLL -b "dc=example,dc=com" objectclass=* dn

Administrative limit exceeded (11)

--------------------------------------------------
Comment 3 Milan Kubík 2012-11-13 10:47:09 UTC 
$ /usr/lib64/mozldap/ldapsearch -D "cn=directory manager" -w Secret123 -s sub -b "ou=people,dc=anonymousresourcelimit,dc=example,dc=com" uid="anonymous manager" nsLookThroughLimit
version: 1
dn: uid=anonymous manager,ou=people,dc=anonymousresourcelimit,dc=example,dc=com
nsLookThroughLimit: 10

$ /usr/lib64/mozldap/ldapsearch -D "cn=directory manager" -w Secret123 -s sub -b "ou=people,dc=anonymousresourcelimit,dc=example,dc=com" uid=* dn | grep "dn: " | wc -l
10000

$ echo $?
0

$ rpm -qa | grep 389-ds-base
389-ds-base-1.2.11.15-3.el6.x86_64
Comment 4 errata-xmlrpc 2013-02-21 08:21:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0503.html
Comment 5 Milan Kubík 2013-06-24 10:54:48 UTC 
Covered in anonymousResourceLimit suite