This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 740942 - allow resource limits to be set for paged searches independently of limits for other searches/operations
allow resource limits to be set for paged searches independently of limits fo...
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Database - General (Show other bugs)
1.2.9
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Rich Megginson
Ben Levenson
: screened
Depends On:
Blocks: 690319 742661 389_1.2.10
  Show dependency treegraph
 
Reported: 2011-09-23 16:42 EDT by Jr Aquino
Modified: 2015-12-10 13:42 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 742661 (view as bug list)
Environment:
Last Closed: 2015-12-10 13:42:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
0001-Bug-740942-allow-resource-limits-to-be-set-for-paged.patch (23.05 KB, patch)
2011-09-30 20:12 EDT, Rich Megginson
nhosoi: review+
Details | Diff

  None (edit)
Description Jr Aquino 2011-09-23 16:42:48 EDT
Description of problem:
FreeIPA Server fully populated with Production content (over 5000+ hosts) + any RHEL5.7 ipa-clients with SSSD are unable to authorize ssh connections.

After troubleshooting, it appears that sssd is performing a search query that results returning all hosts in the directory, thus hitting the 389 max sizelimit even with paging enabled.

It won't be possible to utilize FreeIPA realistically with this conflict between the client and server.

Version-Release number of selected component (if applicable):
sssd-debuginfo-1.5.13-7.el5
sssd-1.5.13-7.el5
sssd-tools-1.5.13-7.el5
sssd-client-1.5.13-7.el5

389-ds-base-1.2.9.9-1.fc15.x86_64
389-ds-base-libs-1.2.9.9-1.fc15.x86_64
389-ds-base-devel-1.2.9.9-1.fc15.x86_64

How reproducible:
Consistent

Steps to Reproduce:
1. Populate a 389 ds FreeIPA directory with 5000 hosts
2. Join a client to the directory.
3. Attempt to ssh into the client.
  
Actual results:
SSHD gets denied due to hitting a sizelimit on the returning search results.

Expected results:
SSHD should permit the login

Additional info:
Comment 1 Rich Megginson 2011-09-23 16:53:08 EDT
I think we need to have a special sizelimit just for paging e.g.
nsslapd-paged-sizelimit
the values work just like nsslapd-sizelimit except nsslapd-paged-sizelimit applies only to simple paged result searches, and nsslapd-sizelimit applies to all searches except simple paged result searches.
Comment 2 Noriko Hosoi 2011-09-26 14:04:19 EDT
A bit out of this bug's subject, but we may need to introduce the paged sizelimit per person.  E g., a special user or users in a special group may want to have no limit; the other users are rather strictly limited.
Comment 3 Rich Megginson 2011-09-26 14:21:30 EDT
(In reply to comment #2)
> A bit out of this bug's subject, but we may need to introduce the paged
> sizelimit per person.  E g., a special user or users in a special group may
> want to have no limit; the other users are rather strictly limited.

Yeah, I guess we should add another per-user config variable for this like nsSizeLimit, nsTimeLimit, etc. - perhaps nsPageSizeLimit?
Comment 4 Noriko Hosoi 2011-09-26 14:29:59 EDT
(In reply to comment #3)
> 
> Yeah, I guess we should add another per-user config variable for this like
> nsSizeLimit, nsTimeLimit, etc. - perhaps nsPageSizeLimit?

Good idea, too!  I remember OpenLDAP allows it...
Comment 5 Rich Megginson 2011-09-26 14:52:53 EDT
Changing the summary - there are some cases where we will want to allow a different lookthroughlimit and idlistscanlimit for paged searches.
Comment 6 Rich Megginson 2011-09-26 14:53:35 EDT
We should also see if we can allow the idlistscanlimit to be set dynamically via ldapmodify while the server is running.
Comment 7 Rich Megginson 2011-09-30 20:12:45 EDT
Created attachment 525854 [details]
0001-Bug-740942-allow-resource-limits-to-be-set-for-paged.patch
Comment 8 Rich Megginson 2011-09-30 21:59:07 EDT
To ssh://git.fedorahosted.org/git/389/ds.git
   ede5dec..4dc166b  master -> master
commit 4dc166b51794ca5920572f6c9196eabcac25ea9e
Author: Rich Megginson <rmeggins@redhat.com>
Date:   Fri Sep 30 08:30:16 2011 -0600
    Reviewed by: nhosoi (Thanks!)
    Branch: master
    Fix Description: There are now 6 new configuration variables that control
    global and per-user limits for simple paged result searches.  If these are
    not present or set to 0, the corresponding non-paged limit will be used
    instead.  For example, if nsslapd-pagedsizelimit is not set,
    nsslapd-sizelimit will be used.  This keeps the previous behavior when the
    new paged limits are not set.
    cn=config/operational per user
    nsslapd-pagedsizelimit/nsPagedSizeLimit - maximum number of entries returned
    by a paged search
    cn=config,cn=ldbm database,cn=plugins,cn=config/operational per user
    nsslapd-pagedlookthroughlimit/nsPagedLookThroughLimit - maximum number of
    entries retrieved from the database by a simple paged result search
    nsslapd-pagedidlistscanlimit/nsPagedIDListScanLimit - maximum size of an ID
    list that can be loaded by a simple paged result search
    Platforms tested: RHEL6 x86_64
    Flag Day: no
    Doc impact: Yes - will need to document the new attributes
Comment 12 Rich Megginson 2012-01-10 15:18:42 EST
Upstream ticket:
https://fedorahosted.org/389/ticket/245

Note You need to log in before you can comment on or make changes to this bug.