Wednesday, June 1, 2022

[389-users] Re: another question: searches running into administrative limits

On 6/1/22 4:11 PM, Pierre Rogier wrote:
> Hi Rainer,
>
> try:
> dsconf instanceName backend config set --idlistscanlimit 5000
> Note: you must perform a full reindex or a reimport after changing this value

Actually you don't need to do that in 389ds (only SunDS), in 389DS we
actually index everything regardless of this setting.  So making that
config change will work right away, but really I think you need to set
the lookthroughlimit like David suggested:

# dsconf instanceName backend config set --lookthroughlimit 5000


Mark

>
> FYI: Browsing (or VLV) index does not help unless you are also using
> VLV controls in the search request
>
> On Wed, Jun 1, 2022 at 6:24 PM David Ritenour <d.ritenour@martinfed.com> wrote:
>> Try setting the nslookthroughlimit to 5000 (or -1 for unlimited) on the entry you are binding with.
>>
>> Alternatively, you can set the nsslapd-lookthroughlimit to 5000 (or -1 for unlimited) in the cn=config,cn=ldbm database,cn=plugins,cn=config entry but doing so will remove the lookthroughlimit restriction for ANYONE searching the directory.
>>
>> In addition, I would avoid using a complex search with "objectClass=inetOrgPerson" if the filter "uid=926*" is sufficient.
>>
>> David Ritenour
>> Senior Directory Engineer
>> 513 Madison Street SE
>> Huntsville, AL 35801
>>
>>
>>
>>
>> -----Original Message-----
>> From: Rainer Duffner <rainer@ultra-secure.de>
>> Sent: Wednesday, June 1, 2022 11:45 AM
>> To: General discussion list for the 389 Directory server project. <389-users@lists.fedoraproject.org>
>> Subject: [389-users] another question: searches running into administrative limits
>>
>> ** WARNING: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>
>>
>> Hi,
>>
>>
>> when searching for something like this:
>>
>> LDAPTLS_REQCERT=never ldapsearch -xLLL -H ldaps://127.0.0.1:636 -D "cn=bla,dc=users,dc=bla,dc=org,dc=da" -W -b 'dc=ble,dc=bla,dc=org,dc=da' -s sub -a always "(&(objectclass=inetOrgPerson)(uid=926*))" "uid" "objectClass"
>>
>> I get the "Administrative limit exceeded (11)" error message.
>>
>> There are less than 5000 entries in that directory - and I've set the size-limit to 5000 subsequently (from the default 2000).
>>
>> I then created a Browsing Index on the „ble" directory - but I still the the error message.
>> Also enabled SubString Indexes for the uid attribute.
>>
>> What else could there be?
>>
>>
>> Rainer
>> _______________________________________________
>> 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>> This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. If you are not the intended recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email and any such files in error and that any use, dissemination, forwarding, printing or copying of this email and/or any such files is strictly prohibited. If you have received this email in error please immediately notify hr@martinfed.com - (855) 212-1810 , and destroy the original message and any such files.
>> _______________________________________________
>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
>
--
Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

No comments:

Post a Comment