Re: [389-users] bypassing limits for persistent search and specific user

On 03/13/2012 04:09 PM, Petr Spacek wrote: > Hello list, > > I'm looking for way how to bypass nsslapd-sizelimit and > nsslapd-timelimit for persistent search made by specific user (or > anything made by that user). > > Please, can you point me to right place in documentation about > persistent search/user specific settings in 389? I googled for a > while, but I can't find exact way how to accomplish this. You can set user-based limits as shown here: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Admin... > > I found attributes nsSizeLimit and nsTimeLimit in > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html-singl... > , but I'm not sure how to deploy them. > > > If bypassing is not possible in 389: > Is there any way how to enumerate all records from given subtree > part-by-part? (My guess: VLV or something similar.) There is VLV, and there is also simple-paged results. Both are methods that can be used to enumerate through search results in chunks. VLV requires explicit configuration of a VLV index for the exact search that you want to perform ahead of time. Simple-paged results can be used with any search. Here are some details on using simple-paged results: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Admin... > > I know only basics about persistent search and next to nothing about > VLV, so sorry if I'm completely wrong. > > > --- Background / why I needed this / long story --- > FreeIPA project has LDAP plugin for BIND. This plugin pulls DNS > records from LDAP database and populates BIND's internal memory with > them. (Homepage: https://fedorahosted.org/bind-dyndb-ldap/) > > This plugin can use persistent search, which enables reflecting > changes in LDAP inside BIND immediately. > > At this moment, plugin after start do persistent search for all DNS > records. This single query can lead to tens of thousands records - and > of course fails, because nssldapd-sizelimit stops that. > > Another problem arises with databases smaller than sizelimit - query > is ended after timelimit and has to be re-established. It leads to > periodical re-downloading whole DNS DB. > > Question is: > It's possible to bypass limits for this connection/user I think setting the limits based on your bind DN should work. -NGK > OR > plugin is completely broken by design? > > > Thanks for you time. > > Petr^2 Spacek @ Red Hat @ Brno office