Hello list,

I'm looking for way how to bypass nsslapd-sizelimit and
nsslapd-timelimit for persistent search made by specific user (or
anything made by that user).


Please, can you point me to right place in documentation about
persistent search/user specific settings in 389? I googled for a while,
but I can't find exact way how to accomplish this.


I found attributes nsSizeLimit and nsTimeLimit in
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html-single/Schema_Reference/index.html#nsPagedSizeLimit
, but I'm not sure how to deploy them.



If bypassing is not possible in 389:
Is there any way how to enumerate all records from given subtree
part-by-part? (My guess: VLV or something similar.)


I know only basics about persistent search and next to nothing about
VLV, so sorry if I'm completely wrong.



--- Background / why I needed this / long story ---
FreeIPA project has LDAP plugin for BIND. This plugin pulls DNS records
from LDAP database and populates BIND's internal memory with them.
(Homepage: https://fedorahosted.org/bind-dyndb-ldap/)


This plugin can use persistent search, which enables reflecting changes
in LDAP inside BIND immediately.


At this moment, plugin after start do persistent search for all DNS
records. This single query can lead to tens of thousands records - and
of course fails, because nssldapd-sizelimit stops that.


Another problem arises with databases smaller than sizelimit - query is
ended after timelimit and has to be re-established. It leads to
periodical re-downloading whole DNS DB.


Question is:
It's possible to bypass limits for this connection/user
OR
plugin is completely broken by design?


Thanks for you time.

Petr^2 Spacek @ Red Hat @ Brno office
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

On 03/13/2012 05:09 PM, Petr Spacek wrote:

Hello list,

I'm looking for way how to bypass nsslapd-sizelimit and
nsslapd-timelimit for persistent search made by specific user (or
anything made by that user).


Please, can you point me to right place in documentation about
persistent search/user specific settings in 389? I googled for a
while, but I can't find exact way how to accomplish this.


I found attributes nsSizeLimit and nsTimeLimit in
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html-single/Schema_Reference/index.html#nsPagedSizeLimit
, but I'm not sure how to deploy them.



If bypassing is not possible in 389:
Is there any way how to enumerate all records from given subtree
part-by-part? (My guess: VLV or something similar.)


I know only basics about persistent search and next to nothing about
VLV, so sorry if I'm completely wrong.



--- Background / why I needed this / long story ---
FreeIPA project has LDAP plugin for BIND. This plugin pulls DNS
records from LDAP database and populates BIND's internal memory with
them. (Homepage: https://fedorahosted.org/bind-dyndb-ldap/)


This plugin can use persistent search, which enables reflecting
changes in LDAP inside BIND immediately.


At this moment, plugin after start do persistent search for all DNS
records. This single query can lead to tens of thousands records - and
of course fails, because nssldapd-sizelimit stops that.


Another problem arises with databases smaller than sizelimit - query
is ended after timelimit and has to be re-established. It leads to
periodical re-downloading whole DNS DB.


Question is:
It's possible to bypass limits for this connection/user
OR
plugin is completely broken by design?
Not specifically for persistent search - see
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html



Thanks for you time.

Petr^2 Spacek @ Red Hat @ Brno office
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

On 03/13/2012 04:09 PM, Petr Spacek wrote:

Hello list,

I'm looking for way how to bypass nsslapd-sizelimit and
nsslapd-timelimit for persistent search made by specific user (or
anything made by that user).


Please, can you point me to right place in documentation about
persistent search/user specific settings in 389? I googled for a
while, but I can't find exact way how to accomplish this.

You can set user-based limits as shown here:

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html# Setting_Resource_Limits_Based_on_the_Bind_DN-Setting_Resource_Limits_Using_the_Command_Line


I found attributes nsSizeLimit and nsTimeLimit in
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html-single/Schema_Reference/index.html#nsPagedSizeLimit
, but I'm not sure how to deploy them.



If bypassing is not possible in 389:
Is there any way how to enumerate all records from given subtree
part-by-part? (My guess: VLV or something similar.)
There is VLV, and there is also simple-paged results. Both are methods
that can be used to enumerate through search results in chunks. VLV
requires explicit configuration of a VLV index for the exact search that
you want to perform ahead of time. Simple-paged results can be used
with any search. Here are some details on using simple-paged results:


http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-simple-paged-results.html


I know only basics about persistent search and next to nothing about
VLV, so sorry if I'm completely wrong.



--- Background / why I needed this / long story ---
FreeIPA project has LDAP plugin for BIND. This plugin pulls DNS
records from LDAP database and populates BIND's internal memory with
them. (Homepage: https://fedorahosted.org/bind-dyndb-ldap/)


This plugin can use persistent search, which enables reflecting
changes in LDAP inside BIND immediately.


At this moment, plugin after start do persistent search for all DNS
records. This single query can lead to tens of thousands records - and
of course fails, because nssldapd-sizelimit stops that.


Another problem arises with databases smaller than sizelimit - query
is ended after timelimit and has to be re-established. It leads to
periodical re-downloading whole DNS DB.


Question is:
It's possible to bypass limits for this connection/user

I think setting the limits based on your bind DN should work.

-NGK

OR
plugin is completely broken by design?


Thanks for you time.

Petr^2 Spacek @ Red Hat @ Brno office
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

On 03/14/2012 12:16 AM, Nathan Kinder wrote:

On 03/13/2012 04:09 PM, Petr Spacek wrote:

Hello list,

I'm looking for way how to bypass nsslapd-sizelimit and
nsslapd-timelimit for persistent search made by specific user (or
anything made by that user).

Please, can you point me to right place in documentation about
persistent search/user specific settings in 389? I googled for a
while, but I can't find exact way how to accomplish this.

You can set user-based limits as shown here:

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html# Setting_Resource_Limits_Based_on_the_Bind_DN-Setting_Resource_Limits_Using_the_Command_Line



I found attributes nsSizeLimit and nsTimeLimit in
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html-single/Schema_Reference/index.html#nsPagedSizeLimit
, but I'm not sure how to deploy them.


If bypassing is not possible in 389:
Is there any way how to enumerate all records from given subtree
part-by-part? (My guess: VLV or something similar.)

There is VLV, and there is also simple-paged results. Both are methods
that can be used to enumerate through search results in chunks. VLV
requires explicit configuration of a VLV index for the exact search that
you want to perform ahead of time. Simple-paged results can be used with
any search. Here are some details on using simple-paged results:

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-simple-paged-results.html



I know only basics about persistent search and next to nothing about
VLV, so sorry if I'm completely wrong.


--- Background / why I needed this / long story ---
FreeIPA project has LDAP plugin for BIND. This plugin pulls DNS
records from LDAP database and populates BIND's internal memory with
them. (Homepage: https://fedorahosted.org/bind-dyndb-ldap/)

This plugin can use persistent search, which enables reflecting
changes in LDAP inside BIND immediately.

At this moment, plugin after start do persistent search for all DNS
records. This single query can lead to tens of thousands records - and
of course fails, because nssldapd-sizelimit stops that.

Another problem arises with databases smaller than sizelimit - query
is ended after timelimit and has to be re-established. It leads to
periodical re-downloading whole DNS DB.

Question is:
It's possible to bypass limits for this connection/user

I think setting the limits based on your bind DN should work.

-NGK

OR
plugin is completely broken by design?


Thanks for you time.

Petr^2 Spacek @ Red Hat @ Brno office


Absolutely perfect! Thanks a lot for immediate response.

Petr^2 Spacek
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Hello,

On 03/14/2012 12:16 AM, Nathan Kinder wrote:

On 03/13/2012 04:09 PM, Petr Spacek wrote:

Hello list,

I'm looking for way how to bypass nsslapd-sizelimit and
nsslapd-timelimit for persistent search made by specific user (or
anything made by that user).


... snip ...

On 03/14/2012 12:16 AM, Nathan Kinder wrote:

On 03/13/2012 04:09 PM, Petr Spacek wrote:

It's possible to bypass limits for this connection/user

I think setting the limits based on your bind DN should work.


I did some testing and converged to this setting:
nsIdleTimeout, nsLookThroughLimit, nsSizeLimit, nsTimeLimit set to -1,
so limits are disabled for specific user.


Is there any potential problem with this, if user is trusted? (It's LDAP
server <-> DNS server "pipe".)

Are there some limits which should not be bypassed? :-)

Expected use case has 1 LDAP to 1 DNS ratio.


Thanks for your time.


Petr^2 Spacek
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

On 03/14/2012 07:42 AM, Petr Spacek wrote:

Hello,

On 03/14/2012 12:16 AM, Nathan Kinder wrote:

On 03/13/2012 04:09 PM, Petr Spacek wrote:

Hello list,

I'm looking for way how to bypass nsslapd-sizelimit and
nsslapd-timelimit for persistent search made by specific user (or
anything made by that user).


... snip ...

On 03/14/2012 12:16 AM, Nathan Kinder wrote:

On 03/13/2012 04:09 PM, Petr Spacek wrote:

It's possible to bypass limits for this connection/user

I think setting the limits based on your bind DN should work.


I did some testing and converged to this setting:
nsIdleTimeout, nsLookThroughLimit, nsSizeLimit, nsTimeLimit set to -1,
so limits are disabled for specific user.


Is there any potential problem with this, if user is trusted? (It's
LDAP server <-> DNS server "pipe".)

Are there some limits which should not be bypassed? :-)

If you trust the user/application, then this should be fine.


Expected use case has 1 LDAP to 1 DNS ratio.


Thanks for your time.


Petr^2 Spacek
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users