So I'm having an issue with sudo policies where I have about ~200 commands in my sudoers, I added those commands to a group and I got an error in the WebUI: Search result has been truncated: Configured size limit exceeded
Also when I run the ipa sudocmdgroup-show I don't see all the commands. Is there a limit to number of commands? Thanks!
Andrew Meyer via FreeIPA-users wrote:
So I'm having an issue with sudo policies where I have about ~200 commands in my sudoers, I added those commands to a group and I got an error in the WebUI:
Search result has been truncated: Configured size limit exceeded
Also when I run the ipa sudocmdgroup-show I don't see all the commands. Is there a limit to number of commands?
There is a general size limit, by default 100 IIRC. Look in the IPA config. I forget where that is in the UI, on the command-line it is ipa config-show/mod.
Set sizelimit to say 250.
We keep this small because enumeration is generally a bad idea, to prevent the equivalent of cat /etc/passwd |grep foo. This makes no sense when you have 10k users :-)
rob
Rob, For this are you referring to the search limit size?
On Friday, April 6, 2018 9:29 AM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
So I'm having an issue with sudo policies where I have about ~200 commands in my sudoers, I added those commands to a group and I got an error in the WebUI:
Search result has been truncated: Configured size limit exceeded
Also when I run the ipa sudocmdgroup-show I don't see all the commands. Is there a limit to number of commands?
There is a general size limit, by default 100 IIRC. Look in the IPA config. I forget where that is in the UI, on the command-line it is ipa config-show/mod.
Set sizelimit to say 250.
We keep this small because enumeration is generally a bad idea, to prevent the equivalent of cat /etc/passwd |grep foo. This makes no sense when you have 10k users :-)
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Andrew Meyer wrote:
Rob, For this are you referring to the search limit size?
ipa config-mod --searchrecordslimit=250
rob
On Friday, April 6, 2018 9:29 AM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
So I'm having an issue with sudo policies where I have about ~200 commands in my sudoers, I added those commands to a group and I got an error in the WebUI:
Search result has been truncated: Configured size limit exceeded
Also when I run the ipa sudocmdgroup-show I don't see all the commands. Is there a limit to number of commands?
There is a general size limit, by default 100 IIRC. Look in the IPA config. I forget where that is in the UI, on the command-line it is ipa config-show/mod.
Set sizelimit to say 250.
We keep this small because enumeration is generally a bad idea, to prevent the equivalent of cat /etc/passwd |grep foo. This makes no sense when you have 10k users :-)
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Andrew Meyer -
Rob Crittenden