Description of problem:
FreeIPA Server fully populated with Production content (over 5000+ hosts) + any RHEL5.7 ipa-clients with SSSD are unable to authorize ssh connections.
After troubleshooting, it appears that sssd is performing a search query that results returning all hosts in the directory, thus hitting the 389 max sizelimit even with paging enabled.
It won't be possible to utilize FreeIPA realistically with this conflict between the client and server.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Populate a 389 ds FreeIPA directory with 5000 hosts
2. Join a client to the directory.
3. Attempt to ssh into the client.
SSHD gets denied due to hitting a sizelimit on the returning search results.
SSHD should permit the login
I think we need to have a special sizelimit just for paging e.g.
the values work just like nsslapd-sizelimit except nsslapd-paged-sizelimit applies only to simple paged result searches, and nsslapd-sizelimit applies to all searches except simple paged result searches.
A bit out of this bug's subject, but we may need to introduce the paged sizelimit per person. E g., a special user or users in a special group may want to have no limit; the other users are rather strictly limited.
(In reply to comment #2)
> A bit out of this bug's subject, but we may need to introduce the paged
> sizelimit per person. E g., a special user or users in a special group may
> want to have no limit; the other users are rather strictly limited.
Yeah, I guess we should add another per-user config variable for this like nsSizeLimit, nsTimeLimit, etc. - perhaps nsPageSizeLimit?
(In reply to comment #3)
> Yeah, I guess we should add another per-user config variable for this like
> nsSizeLimit, nsTimeLimit, etc. - perhaps nsPageSizeLimit?
Good idea, too! I remember OpenLDAP allows it...
Changing the summary - there are some cases where we will want to allow a different lookthroughlimit and idlistscanlimit for paged searches.
We should also see if we can allow the idlistscanlimit to be set dynamically via ldapmodify while the server is running.
Created attachment 525854 [details]
ede5dec..4dc166b master -> master
Author: Rich Megginson <firstname.lastname@example.org>
Date: Fri Sep 30 08:30:16 2011 -0600
Reviewed by: nhosoi (Thanks!)
Fix Description: There are now 6 new configuration variables that control
global and per-user limits for simple paged result searches. If these are
not present or set to 0, the corresponding non-paged limit will be used
instead. For example, if nsslapd-pagedsizelimit is not set,
nsslapd-sizelimit will be used. This keeps the previous behavior when the
new paged limits are not set.
cn=config/operational per user
nsslapd-pagedsizelimit/nsPagedSizeLimit - maximum number of entries returned
by a paged search
cn=config,cn=ldbm database,cn=plugins,cn=config/operational per user
nsslapd-pagedlookthroughlimit/nsPagedLookThroughLimit - maximum number of
entries retrieved from the database by a simple paged result search
nsslapd-pagedidlistscanlimit/nsPagedIDListScanLimit - maximum size of an ID
list that can be loaded by a simple paged result search
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: Yes - will need to document the new attributes