Description of problem: FreeIPA Server fully populated with Production content (over 5000+ hosts) + any RHEL5.7 ipa-clients with SSSD are unable to authorize ssh connections. After troubleshooting, it appears that sssd is performing a search query that results returning all hosts in the directory, thus hitting the 389 max sizelimit even with paging enabled. It won't be possible to utilize FreeIPA realistically with this conflict between the client and server. Version-Release number of selected component (if applicable): sssd-debuginfo-1.5.13-7.el5 sssd-1.5.13-7.el5 sssd-tools-1.5.13-7.el5 sssd-client-1.5.13-7.el5 389-ds-base-1.2.9.9-1.fc15.x86_64 389-ds-base-libs-1.2.9.9-1.fc15.x86_64 389-ds-base-devel-1.2.9.9-1.fc15.x86_64 How reproducible: Consistent Steps to Reproduce: 1. Populate a 389 ds FreeIPA directory with 5000 hosts 2. Join a client to the directory. 3. Attempt to ssh into the client. Actual results: SSHD gets denied due to hitting a sizelimit on the returning search results. Expected results: SSHD should permit the login Additional info:
I think we need to have a special sizelimit just for paging e.g. nsslapd-paged-sizelimit the values work just like nsslapd-sizelimit except nsslapd-paged-sizelimit applies only to simple paged result searches, and nsslapd-sizelimit applies to all searches except simple paged result searches.
A bit out of this bug's subject, but we may need to introduce the paged sizelimit per person. E g., a special user or users in a special group may want to have no limit; the other users are rather strictly limited.
(In reply to comment #2) > A bit out of this bug's subject, but we may need to introduce the paged > sizelimit per person. E g., a special user or users in a special group may > want to have no limit; the other users are rather strictly limited. Yeah, I guess we should add another per-user config variable for this like nsSizeLimit, nsTimeLimit, etc. - perhaps nsPageSizeLimit?
(In reply to comment #3) > > Yeah, I guess we should add another per-user config variable for this like > nsSizeLimit, nsTimeLimit, etc. - perhaps nsPageSizeLimit? Good idea, too! I remember OpenLDAP allows it...
Changing the summary - there are some cases where we will want to allow a different lookthroughlimit and idlistscanlimit for paged searches.
We should also see if we can allow the idlistscanlimit to be set dynamically via ldapmodify while the server is running.
Created attachment 525854 [details] 0001-Bug-740942-allow-resource-limits-to-be-set-for-paged.patch
To ssh://git.fedorahosted.org/git/389/ds.git ede5dec..4dc166b master -> master commit 4dc166b51794ca5920572f6c9196eabcac25ea9e Author: Rich Megginson <rmeggins> Date: Fri Sep 30 08:30:16 2011 -0600 Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: There are now 6 new configuration variables that control global and per-user limits for simple paged result searches. If these are not present or set to 0, the corresponding non-paged limit will be used instead. For example, if nsslapd-pagedsizelimit is not set, nsslapd-sizelimit will be used. This keeps the previous behavior when the new paged limits are not set. cn=config/operational per user nsslapd-pagedsizelimit/nsPagedSizeLimit - maximum number of entries returned by a paged search cn=config,cn=ldbm database,cn=plugins,cn=config/operational per user nsslapd-pagedlookthroughlimit/nsPagedLookThroughLimit - maximum number of entries retrieved from the database by a simple paged result search nsslapd-pagedidlistscanlimit/nsPagedIDListScanLimit - maximum size of an ID list that can be loaded by a simple paged result search Platforms tested: RHEL6 x86_64 Flag Day: no Doc impact: Yes - will need to document the new attributes
Upstream ticket: https://fedorahosted.org/389/ticket/245