On 03/13/2012 04:09 PM, Petr Spacek wrote:
> Hello list,
>
> I'm looking for way how to bypass nsslapd-sizelimit and
> nsslapd-timelimit for persistent search made by specific user (or
> anything made by that user).
>
> Please, can you point me to right place in documentation about
> persistent search/user specific settings in 389? I googled for a
> while, but I can't find exact way how to accomplish this.
You can set user-based limits as shown here:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Admin...
>
> I found attributes nsSizeLimit and nsTimeLimit in
>
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html-singl...
> , but I'm not sure how to deploy them.
>
>
> If bypassing is not possible in 389:
> Is there any way how to enumerate all records from given subtree
> part-by-part? (My guess: VLV or something similar.)
There is VLV, and there is also simple-paged results. Both are methods
that can be used to enumerate through search results in chunks. VLV
requires explicit configuration of a VLV index for the exact search that
you want to perform ahead of time. Simple-paged results can be used with
any search. Here are some details on using simple-paged results:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Admin...
>
> I know only basics about persistent search and next to nothing about
> VLV, so sorry if I'm completely wrong.
>
>
> --- Background / why I needed this / long story ---
> FreeIPA project has LDAP plugin for BIND. This plugin pulls DNS
> records from LDAP database and populates BIND's internal memory with
> them. (Homepage:
https://fedorahosted.org/bind-dyndb-ldap/)
>
> This plugin can use persistent search, which enables reflecting
> changes in LDAP inside BIND immediately.
>
> At this moment, plugin after start do persistent search for all DNS
> records. This single query can lead to tens of thousands records - and
> of course fails, because nssldapd-sizelimit stops that.
>
> Another problem arises with databases smaller than sizelimit - query
> is ended after timelimit and has to be re-established. It leads to
> periodical re-downloading whole DNS DB.
>
> Question is:
> It's possible to bypass limits for this connection/user
I think setting the limits based on your bind DN should work.
-NGK
> OR
> plugin is completely broken by design?
>
>
> Thanks for you time.
>
> Petr^2 Spacek @ Red Hat @ Brno office