On Fri, Jan 2, 2026 at 12:28 PM Marc Sauton <[email protected]> wrote:
>
> Thank you very much for following up and the contribution.
> nsTimeLimit is indeed the user-level parameter to configure.
> there is a mention in this guide:
> https://docs.redhat.com/en/documentation/red_hat_directory_server/13/html/management_configuration_and_operations/searching-entries-and-tuning-searches#setting-user-and-global-resource-limits-by-using-the-command-line
> but this use case is different and interesting.
> We could add an Upstream HowTo/doc page about it, or even document this into
> one of the RHDS guides.
Happy to contribute if you point me in the right direction.
I wanted to share with the list that on SLES15.6 with 389-ds
package:389-ds-2.2.10~git146.78a60e3ac-150600.8.23.1.x86_64,
cn=Directory Manager is unable to find the cosPointerDefinition with
ldapsearch. This occurs when my instance initialization script
configures the CoS objects before I stop the database and run
db2index. The initialization script runs dscreate, then runs either
dsconf or ldapmodify to modify various configurations such as sasl
auth, certs, various global size and limit changes, initial OU layout,
etc, including new indexes for the custom schema I've deployed. If I
try to add the following with ldapmodify:
dn: cn=CoS_template,ou=people,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: cosTemplate
nsSizeLimit: -1
nsLookThroughLimit: -1
nstimelimit: -1
dn: cn=CoS_pointer,ou=people,dc=example,dc=com
objectclass: top
objectclass: cosSuperDefinition
objectclass: cosPointerDefinition
cn: CoS_nodes_pointer
cosTemplateDn: cn=CoS_template,ou=people,dc=example,dc=com
cosAttribute: nsSizeLimit operational
cosAttribute: nsLookThroughLimit operational
cosAttribute: nstimeLimit operational
...prior to stopping the database and running db2index, no errors are
reported via debug plugin logging, and the above works as expected.
However the cosPointer object is "hidden" from the cn=Directory
Manager; a ldapsearch filter of (objectclass=cosPointerDefinition)
returns nothing. If however, I add the above objects after the
db2index operation both objects are visible to Directory Manager.
Either way, the CoS works as expected, but I find it strange that I
can "hide" the object if I attempt to configure the above before
running db2index.
These are the instance initialization commands and the order they are
run, which allows cn=Directory Manager to "see" the cosPointer
object. If the 2nd to last command "cat
/etc/dirsrv/config/ldif/CoS_size_limit_increase.ldif ..." is placed
earlier in the script before db2index, the object is not visible via
ldapsearch.
dscreate from-file /etc/dirsrv/"${INSTANCE}"_instance.inf | tee -a "$LOG"
cat /etc/dirsrv/config/ldif/debug_logging.ldif | ldapmodify -avcH
ldap://$(hostname -f):"$PORT" -D "cn=Directory Manager" -w password
dsctl "$INSTANCE" tls import-server-key-cert
/etc/dirsrv/config/certs/crt.pem /etc/dirsrv/config/certs/key.pem
dsconf "$INSTANCE" security ca-certificate add --file
/etc/dirsrv/config/certs/ca_5a.pem --name internal_issuing_ca
dsconf "$INSTANCE" security ca-certificate add --file
/etc/dirsrv/config/certs/root_ca.pem --name root_ca
dsconf "$INSTANCE" config replace nsslapd-security=on
dsconf "$INSTANCE" plugin memberof enable
dsconf "$INSTANCE" plugin memberof set --skipnested on
dsconf "$INSTANCE" config replace nsslapd-sasl-mapping-fallback=on
dsconf "$INSTANCE" sasl delete "uid mapping" <<< "Yes I am sure"
dsconf "$INSTANCE" sasl delete "rfc 2829 u syntax" <<< "Yes I am sure"
dsconf "$INSTANCE" sasl delete "rfc 2829 dn syntax" <<< "Yes I am sure"
dsconf "$INSTANCE" sasl delete "Kerberos uid mapping" <<< "Yes I am sure"
dsconf "$INSTANCE" sasl create --nsSaslMapRegexString
"^host/\(.*\)\.(.*\)\.(.*\)\.(.*\)$" --nsSaslMapFilterTemplate
"(cn=\1)" --cn "host_UPN_CN_mapping" --nsSaslMapBaseDNTemplate
"dc=example,dc=com" --nsSaslMapPriority 50
dsconf "$INSTANCE" sasl create --nsSaslMapRegexString
"\(.*\)@\(.*\)\.\(.*\)\.\(.*\)" --nsSaslMapFilterTemplate
"(samaccountname=\1)" --cn "user_samaccountname_mapping"
--nsSaslMapBaseDNTemplate "dc=example,dc=com" --nsSaslMapPriority 50
dsconf "$INSTANCE" sasl create --nsSaslMapRegexString "^\(.*\)$"
--nsSaslMapFilterTemplate "(samaccountname=\1)" --cn
"host_samaccountname_mapping" --nsSaslMapBaseDNTemplate
"dc=example,dc=com" --nsSaslMapPriority "100"
dsconf "$INSTANCE" config replace nsslapd-allow-anonymous-access=rootdse
dsconf "$INSTANCE" config replace nsslapd-sizelimit=50000
dsconf "$INSTANCE" config replace nsslapd-maxbersize=5500000
systemctl restart dirsrv@"$INSTANCE"
cat /etc/dirsrv/config/ldif/nsslapd-db-locks.ldif | ldapmodify -avcH
ldaps://$(hostname -f):"$SECURE_PORT" -D "cn=Directory Manager" -w
password
cat /etc/dirsrv/config/ldif/ou_bootstrap_ldif | ldapmodify -avcH
ldaps://$(hostname -f):"$SECURE_PORT" -D "cn=Directory Manager" -w
password
cat /etc/dirsrv/config/ldif/indexes.ldif | ldapmodify -avcH
ldaps://$(hostname -f):"$SECURE_PORT" -D "cn=Directory Manager" -w
password
systemctl stop dirsrv@"$INSTANCE"
dsctl "$INSTANCE" db2index
systemctl start dirsrv@"$INSTANCE"
cat /etc/dirsrv/config/ldif/CoS_size_limit_increase.ldif | ldapmodify
-avcH ldaps://$(hostname -f):"$SECURE_PORT" -D "cn=Directory Manager"
-w password
cat /etc/dirsrv/config/ldif/default_logging.ldif | ldapmodify -avcH
ldaps://$(hostname -f):"$SECURE_PORT" -D "cn=Directory Manager" -w
password
Curious if anyone has an idea why this might be?
Bob.
--
_______________________________________________
389-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
