[389-users] bypassing limits for persistent search and specific user
Petr Spacek
pspacek at redhat.com
Tue Mar 13 23:28:08 UTC 2012
On 03/14/2012 12:16 AM, Nathan Kinder wrote:
> On 03/13/2012 04:09 PM, Petr Spacek wrote:
>> Hello list,
>>
>> I'm looking for way how to bypass nsslapd-sizelimit and
>> nsslapd-timelimit for persistent search made by specific user (or
>> anything made by that user).
>>
>> Please, can you point me to right place in documentation about
>> persistent search/user specific settings in 389? I googled for a
>> while, but I can't find exact way how to accomplish this.
> You can set user-based limits as shown here:
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html#Setting_Resource_Limits_Based_on_the_Bind_DN-Setting_Resource_Limits_Using_the_Command_Line
>
>>
>> I found attributes nsSizeLimit and nsTimeLimit in
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html-single/Schema_Reference/index.html#nsPagedSizeLimit
>> , but I'm not sure how to deploy them.
>>
>>
>> If bypassing is not possible in 389:
>> Is there any way how to enumerate all records from given subtree
>> part-by-part? (My guess: VLV or something similar.)
> There is VLV, and there is also simple-paged results. Both are methods
> that can be used to enumerate through search results in chunks. VLV
> requires explicit configuration of a VLV index for the exact search that
> you want to perform ahead of time. Simple-paged results can be used with
> any search. Here are some details on using simple-paged results:
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-simple-paged-results.html
>
>>
>> I know only basics about persistent search and next to nothing about
>> VLV, so sorry if I'm completely wrong.
>>
>>
>> --- Background / why I needed this / long story ---
>> FreeIPA project has LDAP plugin for BIND. This plugin pulls DNS
>> records from LDAP database and populates BIND's internal memory with
>> them. (Homepage: https://fedorahosted.org/bind-dyndb-ldap/)
>>
>> This plugin can use persistent search, which enables reflecting
>> changes in LDAP inside BIND immediately.
>>
>> At this moment, plugin after start do persistent search for all DNS
>> records. This single query can lead to tens of thousands records - and
>> of course fails, because nssldapd-sizelimit stops that.
>>
>> Another problem arises with databases smaller than sizelimit - query
>> is ended after timelimit and has to be re-established. It leads to
>> periodical re-downloading whole DNS DB.
>>
>> Question is:
>> It's possible to bypass limits for this connection/user
> I think setting the limits based on your bind DN should work.
>
> -NGK
>> OR
>> plugin is completely broken by design?
>>
>>
>> Thanks for you time.
>>
>> Petr^2 Spacek @ Red Hat @ Brno office
Absolutely perfect! Thanks a lot for immediate response.
Petr^2 Spacek
More information about the 389-users
mailing list