https://bugzilla.redhat.com/show_bug.cgi?id=740942
Description of problem: FreeIPA Server fully populated with Production content (over 5000+ hosts) + any RHEL5.7 ipa-clients with SSSD are unable to authorize ssh connections. After troubleshooting, it appears that sssd is performing a search query that results returning all hosts in the directory, thus hitting the 389 max sizelimit even with paging enabled. It won't be possible to utilize FreeIPA realistically with this conflict between the client and server. Version-Release number of selected component (if applicable): sssd-debuginfo-1.5.13-7.el5 sssd-1.5.13-7.el5 sssd-tools-1.5.13-7.el5 sssd-client-1.5.13-7.el5 389-ds-base-1.2.9.9-1.fc15.x86_64 389-ds-base-libs-1.2.9.9-1.fc15.x86_64 389-ds-base-devel-1.2.9.9-1.fc15.x86_64 How reproducible: Consistent Steps to Reproduce: 1. Populate a 389 ds FreeIPA directory with 5000 hosts 2. Join a client to the directory. 3. Attempt to ssh into the client. Actual results: SSHD gets denied due to hitting a sizelimit on the returning search results. Expected results: SSHD should permit the login Additional info:
commit changeset:4dc166b/389-ds-base Author: Rich Megginson rmeggins@redhat.com Date: Fri Sep 30 08:30:16 2011 -0600 Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: There are now 6 new configuration variables that control global and per-user limits for simple paged result searches. If these are not present or set to 0, the corresponding non-paged limit will be used instead. For example, if nsslapd-pagedsizelimit is not set, nsslapd-sizelimit will be used. This keeps the previous behavior when the new paged limits are not set. cn=config/operational per user nsslapd-pagedsizelimit/nsPagedSizeLimit - maximum number of entries returned by a paged search cn=config,cn=ldbm database,cn=plugins,cn=config/operational per user nsslapd-pagedlookthroughlimit/nsPagedLookThroughLimit - maximum number of entries retrieved from the database by a simple paged result search nsslapd-pagedidlistscanlimit/nsPagedIDListScanLimit - maximum size of an ID list that can be loaded by a simple paged result search Platforms tested: RHEL6 x86_64 Flag Day: no Doc impact: Yes - will need to document the new attributes
Added initial screened field value.
Metadata Update from @nkinder: - Issue assigned to nhosoi - Issue set to the milestone: 1.2.10
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/245
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.