Hide Forgot
Description of problem: When admin set the global size limit (ipa config-mod) to the lower or equal number than the amount of any entity which is user member of (user group, netgroup, role, HBAC rule, Sudo rule) then the 'ipa user show' command fails with following error: CLI: ipa: ERROR: Configured size limit exceeded API: ERROR: 4215 "Configured size limit exceeded" "SizeLimitExceeded" So, the same behavior in CLI and API. Also other commands which internally callsuser-show fails (i.e. pwpolicy-show). Version-Release number of selected component (if applicable): ipa-4.4.0-12, ipa-4.5.0-21.el7_4.1 Haven't tried older versions yet. How reproducible: 100% Steps to Reproduce (in WebUI): 1. Create a user in IPA 2. Create 5 user groups 3. Go to User details facet 4. Click on "User groups" tab 5. Add all created user groups 6. Everything works as expected (default sizelimit is 100) 7. Go to IPA Server -> Configuration 8. Change Search size limit to 4 9. Go back to Identity -> open user created in step 1 10. Hit 'Refresh' button 11. Error dialog is shown Steps to Reproduce (CLI): 1. $ ipa user-add tuser --first=test --last=user 2. $ ipa usergroup-add tgroup1-5 3. $ ipa group-add-member tgroup1-5 --users=tuser 4. $ ipa user-show tuser 5. everything works properly -> user record is shown 6. $ ipa config-mod --searchrecordslimit=5 7. $ ipa user-show tuser 8. size limit error Actual results: Got sizelimit error Expected results: Get user record Additional info:
Upstream ticket: https://pagure.io/freeipa/issue/7112
Fixed upstream master: https://pagure.io/freeipa/c/418421d94182f03aa9af38f7ab9ed141828f1eb2
Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/b516ad8af484a12a0a88375cef7da12569d6ae01
Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/c27d015202be35b2ac04151a73a2179909127704
ipa-version: ipa-server-4.5.4-8.el7.x86_64 Verified the bug on the basis of following observations: 1. Verified that 'size limit error ' is not observed as per the steps mentioned inside the bug. 2. Refer the console output steps below: [root@auto-hv-01-guest10 ~]# kinit admin Password for admin@TESTRELM.TEST: [root@auto-hv-01-guest10 ~]# ipa user-add tuser --first=test --last=user ------------------ Added user "tuser" ------------------ User login: tuser First name: test Last name: user Full name: test user Display name: test user Initials: tu Home directory: /home/tuser GECOS: test user Login shell: /bin/sh Principal name: tuser@TESTRELM.TEST Principal alias: tuser@TESTRELM.TEST Email address: tuser@testrelm.test UID: 1400000001 GID: 1400000001 Password: False Member of groups: ipausers Kerberos keys available: False [root@auto-hv-01-guest10 ~]# ipa group-add tgroup1 --------------------- Added group "tgroup1" --------------------- Group name: tgroup1 GID: 1400000003 [root@auto-hv-01-guest10 ~]# ipa group-add tgroup2 --------------------- Added group "tgroup2" --------------------- Group name: tgroup2 GID: 1400000004 [root@auto-hv-01-guest10 ~]# [root@auto-hv-01-guest10 ~]# ipa group-add tgroup3 --------------------- Added group "tgroup3" --------------------- Group name: tgroup3 GID: 1400000005 [root@auto-hv-01-guest10 ~]# ipa group-add tgroup4 --------------------- Added group "tgroup4" --------------------- Group name: tgroup4 GID: 1400000006 [root@auto-hv-01-guest10 ~]# ipa group-add tgroup5 --------------------- Added group "tgroup5" --------------------- Group name: tgroup5 GID: 1400000007 [root@auto-hv-01-guest10 ~]# ipa group-add-member tgroup1 --users=tuser Group name: tgroup1 GID: 1400000003 Member users: tuser ------------------------- Number of members added 1 ------------------------- [root@auto-hv-01-guest10 ~]# ipa group-add-member tgroup2 --users=tuser Group name: tgroup2 GID: 1400000004 Member users: tuser ------------------------- Number of members added 1 ------------------------- [root@auto-hv-01-guest10 ~]# ipa group-add-member tgroup3 --users=tuser Group name: tgroup3 GID: 1400000005 Member users: tuser ------------------------- Number of members added 1 ------------------------- [root@auto-hv-01-guest10 ~]# ipa group-add-member tgroup4 --users=tuser Group name: tgroup4 GID: 1400000006 Member users: tuser ------------------------- Number of members added 1 ------------------------- [root@auto-hv-01-guest10 ~]# ipa group-add-member tgroup5 --users=tuser Group name: tgroup5 GID: 1400000007 Member users: tuser ------------------------- Number of members added 1 ------------------------- [root@auto-hv-01-guest10 ~]# ipa user-show tuser User login: tuser First name: test Last name: user Home directory: /home/tuser Login shell: /bin/sh Principal name: tuser@TESTRELM.TEST Principal alias: tuser@TESTRELM.TEST Email address: tuser@testrelm.test UID: 1400000001 GID: 1400000001 Account disabled: False Password: False Member of groups: tgroup2, tgroup1, tgroup5, tgroup4, ipausers, tgroup3 Kerberos keys available: False [root@auto-hv-01-guest10 ~]# ipa config-mod --searchrecordslimit=5 Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm.test Search time limit: 2 Search size limit: 5 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM.TEST Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: auto-hv-01-guest10.testrelm.test, auto-hv-02-guest09.testrelm.test IPA CA servers: auto-hv-01-guest10.testrelm.test, auto-hv-02-guest09.testrelm.test IPA NTP servers: auto-hv-01-guest10.testrelm.test, auto-hv-02-guest09.testrelm.test IPA CA renewal master: auto-hv-01-guest10.testrelm.test IPA master capable of PKINIT: auto-hv-01-guest10.testrelm.test, auto-hv-02-guest09.testrelm.test [root@auto-hv-01-guest10 ~]# ipa user-show tuser User login: tuser First name: test Last name: user Home directory: /home/tuser Login shell: /bin/sh Principal name: tuser@TESTRELM.TEST Principal alias: tuser@TESTRELM.TEST Email address: tuser@testrelm.test UID: 1400000001 GID: 1400000001 Account disabled: False Password: False Member of groups: tgroup2, tgroup1, tgroup5, tgroup4, ipausers, tgroup3 Kerberos keys available: False Thus on the basis of above observations, marking the status of bug to "VERIFIED".
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0918