Hi Bob,
Two things to try:
[1] Change the filter to (remove the colon): "(memberof=cn=large_group,ou=groups,dc=org,dc=com)"
[2] Run the memberof fixup task:
# dsconf slapd-YOUR_INSTANCE_NAME plugins memberof fixup "dc=org,dc=com"
# dsconf slapd-YOUR_INSTANCE_NAME plugins memberof fixup-status --dn <DN returned from the "fixup task"> --watch
Then run the search again once the fixup task finishes.
HTH,
Mark
On 12/16/25 5:44 PM, Bob Green via 389-users wrote:
I have some groups with as many as 30K+ members. After enabling the memberOf plugin, ldap queries such as "(memberof:=cn=large_group,ou=groups,dc=org,dc=com)", only return a partial list of members. I've increased the following cn=config attributes but am not seeing an increase in records returned: nsslapd-sizelimit nsslapd-lookthroughlimit nsslapd-idlistscanlimit I've been experimenting with various levels of logging to try to understand what might be preventing all of the records being returned, and have the following currently configured: nsslapd-accesslog-level: 514 nsslapd-errorlog-level: 114688 nsslapd-plugin-logging: on nsslapd-securitylog-level: 256 nsslapd-statlog-level: 0 I have yet to tweak any OS or application settings in regards to cache or anything else that might be warranted considering the number of ldap entries I expect to serve, so I expect there's work to be done in that regard. However I've yet to find any debug log to point me in the direction of figuring out why memberOf is only providing a partial list of all matching entries. Any advice on what log levels I might consider or what config attributes I should focus on to see about addressing my issue? Thank you, Bob My test platform: % grep SUSE /etc/*release PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6" % rpm -q 389-ds 389-ds-2.2.10~git146.78a60e3ac-150600.8.23.1.x86_64
-- Identity Management Development Team
No comments:
Post a Comment