Ticket #245 (closed enhancement: fixed)

Opened 2 years ago

Last modified 2 years ago

allow resource limits to be set for paged searches independently of limits for other searches/operations

Reported by: rmeggins Owned by: nhosoi
Priority: major Milestone: 1.2.10
Component: Database - General Version: 1.2.9.9
Keywords: Cc:
Blocked By: Blocking:
Review: ack Ticket origin:
Red Hat Bugzilla: 740942,742661

Description (last modified by rmeggins) (diff)

https://bugzilla.redhat.com/show_bug.cgi?id=740942

Description of problem:
FreeIPA Server fully populated with Production content (over 5000+ hosts) + any
RHEL5.7 ipa-clients with SSSD are unable to authorize ssh connections.

After troubleshooting, it appears that sssd is performing a search query that
results returning all hosts in the directory, thus hitting the 389 max
sizelimit even with paging enabled.

It won't be possible to utilize FreeIPA realistically with this conflict
between the client and server.

Version-Release number of selected component (if applicable):
sssd-debuginfo-1.5.13-7.el5
sssd-1.5.13-7.el5
sssd-tools-1.5.13-7.el5
sssd-client-1.5.13-7.el5

389-ds-base-1.2.9.9-1.fc15.x86_64
389-ds-base-libs-1.2.9.9-1.fc15.x86_64
389-ds-base-devel-1.2.9.9-1.fc15.x86_64

How reproducible:
Consistent

Steps to Reproduce:
1. Populate a 389 ds FreeIPA directory with 5000 hosts
2. Join a client to the directory.
3. Attempt to ssh into the client.

Actual results:
SSHD gets denied due to hitting a sizelimit on the returning search results.

Expected results:
SSHD should permit the login

Additional info:

commit changeset:4dc166b51794ca5920572f6c9196eabcac25ea9e/389-ds-base
Author: Rich Megginson <rmeggins@…>
Date: Fri Sep 30 08:30:16 2011 -0600

Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: There are now 6 new configuration variables that control
global and per-user limits for simple paged result searches. If these are
not present or set to 0, the corresponding non-paged limit will be used
instead. For example, if nsslapd-pagedsizelimit is not set,
nsslapd-sizelimit will be used. This keeps the previous behavior when the
new paged limits are not set.
cn=config/operational per user
nsslapd-pagedsizelimit/nsPagedSizeLimit - maximum number of entries returned
by a paged search
cn=config,cn=ldbm database,cn=plugins,cn=config/operational per user
nsslapd-pagedlookthroughlimit/nsPagedLookThroughLimit - maximum number of
entries retrieved from the database by a simple paged result search
nsslapd-pagedidlistscanlimit/nsPagedIDListScanLimit - maximum size of an ID
list that can be loaded by a simple paged result search
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: Yes - will need to document the new attributes

Change History

comment:1 Changed 2 years ago by rmeggins

  • Version set to 1.2.9.9
  • Status changed from new to closed
  • Resolution set to fixed
  • Milestone changed from NEEDS_TRIAGE to 1.2.10
  • Type changed from defect to enhancement
  • Review changed from Needs Review to ack
  • Description modified (diff)

comment:2 Changed 2 years ago by rmeggins

  • Red Hat Bugzilla changed from [https://bugzilla.redhat.com/show_bug.cgi?id=740942 740942] to [https://bugzilla.redhat.com/show_bug.cgi?id=740942 740942],[https://bugzilla.redhat.com/show_bug.cgi?id=742661 742661]

comment:3 Changed 20 months ago by nkinder

  • screened set to 1

Added initial screened field value.

Note: See TracTickets for help on using tickets.