depending on the filters used, an error 11 / err=11 / ADMIN_LIMIT_EXCEEDED / "Administrative limit exceeded" could be returned, and depending on the LDAP client, it could be an important error.
it may be a good idea to set a DN for nsslapd-anonlimitsdn , see
with its associated/dedicated values different from the global settings, for the attributes nsIdleTimeout , nsTimeLimit and nsSizeLimit
or set a special user entry for those BINDs , with the same 3 user specified idletimeout, time and size limits to avoid tuning up the general setting of the size limit.
On Tue, Oct 19, 2021 at 10:44 AM Michael Starling <firstname.lastname@example.org> wrote:
I have a few questions about anon binds.
In theory if you have 3000 user objects in the directory and anonymous binds have a limit returning 2000 entries can you still use anonymous binds in LDAP client configurations without issues? Or does something else take place when a user logs in that only requires the LDAP clients (sssd or nscld) to parse that specific user dn and attributes?
Typically, with OpenLDAP I have created a "bind" user that can read all user/group objects with limited attributes and turned off anon binds so I don't fully understand the behavior of anonymous binds.
389-users mailing list -- email@example.com
To unsubscribe send an email to firstname.lastname@example.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://email@example.com
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure