We need to properly configure nsslapd-idlistscanlimit, the default in DS is 4000 and that is going to be wait too low for anything but small sized deployments.
We should properly raise its value to a size we think should fit at least medium size deployments, and if possible we should even try to dynamically change it during the IPA lifetime based on some heuristics (number of users/groups/memberships as some attributes like memberof are used extensively across the product and will reach this limit quite fast.
Once an index passes this limits we have nasty side effects like truncates results sets, and that is not really acceptable.
Same thing with size limit to a degree at least until paged searches are fixed.
Check with Nathan on the best default and factors affecting it.
Also need to change nsslapd-sizelimit and nsslapd-lookthroughlimit
After discussion with Rich we decided to set them all to 100k while waiting for more fine grained limits that can be changed only for paged searches in a future DS version.
The above patch adds the necessary limits and also adds different (much lower) limits on anonymous binds through the use of a shared config entry.
Posting the patch to freeipa-devel is blocked by a DS bug that prevents us from performing the update.
Will be posted there as soon as I can test it with a new DS build.
attachment 0001-updates-Change-default-limits-on-ldap-searches.patch
master: 9724251
ipa-2-1: 36c63ee
Metadata Update from @simo: - Issue assigned to simo - Issue set to the milestone: FreeIPA 2.1.3 (bug fixing)
Login to comment on this ticket.