Using class of service it is possible to create a share configuration in the replicated tree to overlay each user with default nsSizeLimit and nsLookThrougLimit attributes.
This has the same effect of changing the database level local configuration in cn=config for all authenticated users, except it is shared by all servers and available in the replicated tree and easy to access by admins and the WebUI (if desired).
the idlistscanlimit cannot yet be changed this way though.
This depends on a couple of 389 bugs * allow ipa-ldap-updater to work on backend config settings like nsslapd-lookthroughlimit - https://bugzilla.redhat.com/show_bug.cgi?id=741744 * allow dynamic configuration of nsslapd-idlistscanlimit and nsIDListScanLimit - https://bugzilla.redhat.com/show_bug.cgi?id=742324
This depends on a couple of 389 bugs - allow ipa-ldap-updater to work on backend config settings like nsslapd-lookthroughlimit - https://bugzilla.redhat.com/show_bug.cgi?id=741744 - allow dynamic configuration of nsslapd-idlistscanlimit and nsIDListScanLimit - https://bugzilla.redhat.com/show_bug.cgi?id=742324
DS fixes are being made for 6.2 and we need to take advantage of those.
Changes default limits 0001-updates-Change-default-limits-on-ldap-searches.patch
The fix in 389-ds isn't working as expected. We can work around this by adding nsslapd-lookthroughlimit and nsslapd-idlistscanlimit to FORCE_REPLACE_ON_UPDATE_ATTRS. Going with this for the short-term. We'll revisit later.
Update limits[[br]] master: 9724251[[br]] ipa-2-1: 36c63ee
Temporary fix[[br]] master: 9a4fd25[[br]] ipa-2-1: 411c303
Is it really happening?
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=782921
Removal of workaround created in new ticket, 2283. Marking as closed.
Metadata Update from @simo: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/01
Login to comment on this ticket.