[389-users] Re: another question: searches running into administrative limits

Mark Reynolds Wed, 01 Jun 2022 13:24:28 -0700


On 6/1/22 4:11 PM, Pierre Rogier wrote:

Hi Rainer,


try:
   dsconf instanceName backend config set --idlistscanlimit  5000
Note: you must perform a full reindex or a reimport after changing this value

Actually you don't need to do that in 389ds (only SunDS), in 389DS weactually index everything regardless of this setting. So making thatconfig change will work right away, but really I think you need to setthe lookthroughlimit like David suggested:


# dsconf instanceName backend config set --lookthroughlimit 5000


Mark


FYI: Browsing (or VLV) index does not help unless you are also using
VLV controls in the search request

On Wed, Jun 1, 2022 at 6:24 PM David Ritenour <d.riten...@martinfed.com> wrote:

Try setting the nslookthroughlimit to 5000 (or -1 for unlimited) on the entry 
you are binding with.

Alternatively, you can set the nsslapd-lookthroughlimit to 5000 (or -1 for 
unlimited) in the cn=config,cn=ldbm database,cn=plugins,cn=config entry but 
doing so will remove the lookthroughlimit restriction for ANYONE searching the 
directory.

In addition, I would avoid using a complex search with "objectClass=inetOrgPerson" if the 
filter "uid=926*" is sufficient.

David Ritenour
Senior Directory Engineer
513 Madison Street SE
Huntsville, AL 35801




-----Original Message-----
From: Rainer Duffner <rai...@ultra-secure.de>
Sent: Wednesday, June 1, 2022 11:45 AM
To: General discussion list for the 389 Directory server project. 
<389-users@lists.fedoraproject.org>
Subject: [389-users] another question: searches running into administrative 
limits

** WARNING: This email originated from outside of the organization. Do not 
click links or open attachments unless you recognize the sender and know the 
content is safe.


Hi,


when searching for something like this:

LDAPTLS_REQCERT=never ldapsearch  -xLLL -H ldaps://127.0.0.1:636 -D "cn=bla,dc=users,dc=bla,dc=org,dc=da" -W -b 
'dc=ble,dc=bla,dc=org,dc=da' -s sub -a always "(&(objectclass=inetOrgPerson)(uid=926*))" "uid" 
"objectClass"

I get the "Administrative limit exceeded (11)“ error message.

There are less than 5000 entries in that directory - and I’ve set the 
size-limit to 5000 subsequently (from the default 2000).

I then created a Browsing Index on the „ble“ directory - but I still the the 
error message.
Also enabled SubString Indexes for the uid attribute.

What else could there be?


Rainer
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send 
an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure
This email and any files transmitted with it are confidential and are intended 
solely for the use of the individual or entity to which they are addressed. If 
you are not the intended recipient or the person responsible for delivering the 
email to the intended recipient, be advised that you have received this email 
and any such files in error and that any use, dissemination, forwarding, 
printing or copying of this email and/or any such files is strictly prohibited. 
If you have received this email in error please immediately notify 
h...@martinfed.com - (855) 212-1810 , and destroy the original message and any 
such files.
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

--
Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[389-users] Re: another question: searches running into administrative limits

Reply via email to