Bind-dyndb-ldap plugin (with persistent search enabled) queries LDAP for all DNS records. At some configurations reply can exceed LDAP server limits for size. In that case is persistent search unusable. (Problem arises if number of DNS records > nssldapd-sizelimit.)
Time limit leads to periodical ending and reestabilishing persistent search, so whole DNS DB have to be periodically downloaded from LDAP to BIND.
Proposed solution: Disable any limits for DNS server's principals. Other users are unaffected.
389 documentation: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html
Example LDIF:
dn: krbprincipalname=DNS/dhcp-31-49.brq.redhat.com@E.ORG,cn=services,cn=accounts,dc=e,dc=org changetype: modify add: nsTimeLimit nsTimeLimit: -1 - add: nsSizeLimit nsSizeLimit: -1
It's necessary to disable other two limits:
- add: nsIdleTimeout nsIdleTimeout: -1 - add: nsLookThroughLimit nsLookThroughLimit: -1
Persistent search related. Link it to the persistent search feature later.
Moving the same milestone as ticket #2524 - persistent search requires this limit setting.
attachment freeipa-mkosek-258-remove-ldap-limits-from-dns-service.patch
Patch freeipa-mkosek-258-remove-ldap-limits-from-dns-service.patch sent for review
master: 9a5c209
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=908893 (Red Hat Enterprise Linux 6)
This ticket is a requirement for effective implementation of Persistent search feature to bind-dyndb-ldap: Red Hat bug 733711
Metadata Update from @pspacek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.0 Core Effort - 2012/05
Login to comment on this ticket.