Hi list. I'm trying to limit queries for one user in my slapd.conf, with this rules:
limits dn.exact="cn=user1,dc=domain,dc=com" size.soft=50 size.hard=50 limits anonymous size.soft=50 size.hard=50 limits users size.soft=50 size.hard=50 sizelimit unlimited
But "user1" isn't limited with this rules. If I set "sizelimit 50", the syncrepl doesn't work, even I set no limit in my syncrepl directive or setting limits for replicator user.
This rules was working fine in openldap 2.3.35 until I upgrade to 2.4.10. :-(
Somebody have tips, mans, or ideias to solve this issue ?
Thanks.
Jeronimo Zucco wrote:
Hi list. I'm trying to limit queries for one user in my slapd.conf,with this rules:
limits dn.exact="cn=user1,dc=domain,dc=com" size.soft=50 size.hard=50 limits anonymous size.soft=50 size.hard=50 limits users size.soft=50 size.hard=50 sizelimit unlimited
But "user1" isn't limited with this rules. If I set "sizelimit 50",the syncrepl doesn't work, even I set no limit in my syncrepl directive or setting limits for replicator user.
This rules was working fine in openldap 2.3.35 until I upgrade to2.4.10. :-(
Somebody have tips, mans, or ideias to solve this issue ?
Works fine for me. What do you see in the slapd debug output? (Run with -d7) For example, I get:
SRCH "dc=example,dc=com" 2 0 0 0 0 ber_scanf fmt (m) ber: filter: (objectClass=*) ber_scanf fmt ({M}}) ber: attrs: 1.1 ==> limits_get: conn=1 op=1 dn="cn=bjorn jensen,ou=information technology division,ou=people,dc=example,dc=com" <== limits_get: type=DN match=EXACT dn="cn=bjorn jensen,ou=information technology division,ou=people,dc=example,dc=com" => bdb_search
Howard Chu wrote:
Jeronimo Zucco wrote:
Hi list. I'm trying to limit queries for one user in my slapd.conf,with this rules:
limits dn.exact="cn=user1,dc=domain,dc=com" size.soft=50 size.hard=50 limits anonymous size.soft=50 size.hard=50 limits users size.soft=50 size.hard=50 sizelimit unlimited
But "user1" isn't limited with this rules. If I set "sizelimit 50",the syncrepl doesn't work, even I set no limit in my syncrepl directive or setting limits for replicator user.
This rules was working fine in openldap 2.3.35 until I upgrade to2.4.10. :-(
Somebody have tips, mans, or ideias to solve this issue ?Works fine for me. What do you see in the slapd debug output? (Run with -d7) For example, I get:
SRCH "dc=example,dc=com" 2 0 0 0 0 ber_scanf fmt (m) ber: filter: (objectClass=*) ber_scanf fmt ({M}}) ber: attrs: 1.1 ==> limits_get: conn=1 op=1 dn="cn=bjorn jensen,ou=information technology division,ou=people,dc=example,dc=com" <== limits_get: type=DN match=EXACT dn="cn=bjorn jensen,ou=information technology division,ou=people,dc=example,dc=com" => bdb_search
I see:
<= get_ctrls: n=1 rc=0 err="" attrs: * + ==> limits_get: conn=95 op=1 dn="cn=replicator,dc=domain,dc=com" => bdb_search bdb_dn2entry("dc=ucs,dc=br") base_candidates: base: "dc=domain,dc=com" (0x00000001) send_ldap_result: conn=95 op=1 p=3 send_ldap_result: err=0 matched="" text="" => bdb_search bdb_dn2entry("dc=domain,dc=com") search_candidates: base="dc=domain,dc=com" (0x00000001) scope=2 => bdb_dn2idl("dc=domain,dc=com") => bdb_presence_candidates (objectClass) bdb_search_candidates: id=-1 first=1 last=218544 => send_search_entry: conn 95 dn="dc=domain,dc=com" ber_flush2: 696 bytes to sd 47
It doesn't get limits_get: type=DN match=EXACT
:-(
just one line correction:
Jeronimo Zucco wrote:
I see:
<= get_ctrls: n=1 rc=0 err="" attrs: * + ==> limits_get: conn=95 op=1 dn="cn=replicator,dc=domain,dc=com" => bdb_search bdb_dn2entry("dc=domain,dc=com") base_candidates: base: "dc=domain,dc=com" (0x00000001) send_ldap_result: conn=95 op=1 p=3 send_ldap_result: err=0 matched="" text="" => bdb_search bdb_dn2entry("dc=domain,dc=com") search_candidates: base="dc=domain,dc=com" (0x00000001) scope=2 => bdb_dn2idl("dc=domain,dc=com") => bdb_presence_candidates (objectClass) bdb_search_candidates: id=-1 first=1 last=218544 => send_search_entry: conn 95 dn="dc=domain,dc=com" ber_flush2: 696 bytes to sd 47
It doesn't get limits_get: type=DN match=EXACT
:-(
Thanks for any help.
just for clarify, I'm having the issue explained in this comments:
http://www.openldap.org/lists/openldap-bugs/200711/msg00142.html:
--- START ---
"hyc@symas.com wrote:
There have been at least 10 syncrepl-related fixes in 2.3 since 2.3.32, with substantial bug fixes and improvements. Please update and check if the issue has been already fixed.
This works as designed. The identity that the syncrepl consumer uses to retrieve results must have sufficient privilege to retrieve a complete set of results.
Right, I probably misunderstood the question. If it was related to the "sizelimit" option of the "syncrepl" statement, as far as I understand, that parameter sets the amount of data the consumer is willing to replicate, in case one wants to set up a partial replica. It must be set to "unlimited" (i.e. no "sizelimit" used) to replicate as much as possible of the producer. In the latter case, the amount of data a consumer can get depends on the size limit the producer is willing to return. For this purpose, the identity used by the consumer must have no size limits to work correctly. A "limits" statement that sets the size limit to "unlimited" for a "who" clause that includes the consumer's replication identity should be used.
--- END OF COPY ---
I'm trying to especify no limits for replica user, without success. I believe this is an issue of lastest release of openldap.
Please let me know any tip for this problem.
Citando Jeronimo Zucco jczucco@ucs.br:
just one line correction:Jeronimo Zucco wrote:
I see:
<= get_ctrls: n=1 rc=0 err="" attrs: * + ==> limits_get: conn=95 op=1 dn="cn=replicator,dc=domain,dc=com" => bdb_search bdb_dn2entry("dc=domain,dc=com") base_candidates: base: "dc=domain,dc=com" (0x00000001) send_ldap_result: conn=95 op=1 p=3 send_ldap_result: err=0 matched="" text="" => bdb_search bdb_dn2entry("dc=domain,dc=com") search_candidates: base="dc=domain,dc=com" (0x00000001) scope=2 => bdb_dn2idl("dc=domain,dc=com") => bdb_presence_candidates (objectClass) bdb_search_candidates: id=-1 first=1 last=218544 => send_search_entry: conn 95 dn="dc=domain,dc=com" ber_flush2: 696 bytes to sd 47
It doesn't get limits_get: type=DN match=EXACT
:-(
-- Jeronimo Zucco LPIC-1 Linux Professional Institute Certified Núcleo de Processamento de Dados Universidade de Caxias do Sul
--------------------------------------- Essa mensagem foi enviada pelo UCS Mail
Jeronimo Zucco wrote:
just for clarify, I'm having the issue explained in this comments:
http://www.openldap.org/lists/openldap-bugs/200711/msg00142.html:
I'm trying to especify no limits for replica user, without success. I believe this is an issue of lastest release of openldap.
Again, it works for me.
Please let me know any tip for this problem.
Post your full slapd configuration.
It doesn't get limits_get: type=DN match=EXACT
:-(
I've found what happened here:
1 - I put limits and sizelimit in the end of slapd.conf. You have to put it in the global section, after schemas and before ACL's;
2 - I've tried to use this rules: limits anonymous size.soft=50 size.hard=50 limits dn.exact="cn=replicator_user,dc=domain,dc=com" size.soft=unlimited size.hard=unlimited size.unchecked=unlimited time.soft=unlimited time.hard=unlimited limits dn.exact="cn=user1,dc=domain,dc=com" size.soft=50 size.hard=100 time.soft=15 time.hard=60 limits users size.soft=50 size.hard=100 size.unchecked=32767 time.soft=15 time.hard=60 sizelimit unlimited
The "limits users" and limits dn.exact are compatibles ? I guess not.
Finally, this rules works for me:
limits anonymous size.soft=50 size.hard=50 limits dn.exact="cn=user1,dc=domain,dc=com" size.soft=50 size.hard=100 time.soft=15 time.hard=60 sizelimit unlimited
And I've removed the "limits user" of my configuration.
Thanks for help.
Jeronimo Zucco wrote:
I've found what happened here: 1 - I put limits and sizelimit in the end of slapd.conf. You have toput it in the global section, after schemas and before ACL's;
No. First of all, the placement requirements did not change between OpenLDAP 2.3 and 2.4. Secondly, the "limits" directive is clearly documented (see slapd.conf(5)) as being a database setting, not a global setting.
When you originally posted, you implied that you simply updated to 2.4 from an existing 2.3 installation. It seems that in fact, you installed 2.4 and also modified your slapd.conf at the same time. When you fail to post relevant details about what you're working with, it uses up a lot more of everyone else's time to understand what you're doing and how to help you.
I'm glad you have this working now, but you still need to go back and reread slapd.conf(5). Your assumptions and understanding of how things work is still wrong, and if you need to make additional changes in the future you will probably run into other problems until you understand how it really works.
2 - I've tried to use this rules:limits anonymous size.soft=50 size.hard=50 limits dn.exact="cn=replicator_user,dc=domain,dc=com" size.soft=unlimited size.hard=unlimited size.unchecked=unlimited time.soft=unlimited time.hard=unlimited limits dn.exact="cn=user1,dc=domain,dc=com" size.soft=50 size.hard=100 time.soft=15 time.hard=60 limits users size.soft=50 size.hard=100 size.unchecked=32767 time.soft=15 time.hard=60 sizelimit unlimited
The "limits users" and limits dn.exact are compatibles ? I guess not.Finally, this rules works for me:
limits anonymous size.soft=50 size.hard=50 limits dn.exact="cn=user1,dc=domain,dc=com" size.soft=50 size.hard=100 time.soft=15 time.hard=60 sizelimit unlimited
And I've removed the "limits user" of my configuration.
Thanks for help.
Howard Chu wrote:
Jeronimo Zucco wrote:
I've found what happened here: 1 - I put limits and sizelimit in the end of slapd.conf. Youhave to put it in the global section, after schemas and before ACL's;
No. First of all, the placement requirements did not change between OpenLDAP 2.3 and 2.4. Secondly, the "limits" directive is clearly documented (see slapd.conf(5)) as being a database setting, not a global setting.
When you originally posted, you implied that you simply updated to 2.4 from an existing 2.3 installation. It seems that in fact, you installed 2.4 and also modified your slapd.conf at the same time. When you fail to post relevant details about what you're working with, it uses up a lot more of everyone else's time to understand what you're doing and how to help you.
Howard, in my first post, I really just copy my slapd.conf from 2.3 to 2.4, and I've had that limits rules, in the end of slapd.conf. And that did'nt work for me. I just told what happened, I'm sorry if I did'nt give enough details of my configuration.
I'm glad you have this working now, but you still need to go back and reread slapd.conf(5). Your assumptions and understanding of how things work is still wrong, and if you need to make additional changes in the future you will probably run into other problems until you understand how it really works.
May be slapd.conf.default would have samples of limits and sizelimit, including when somebody uses replication. I've wanted to post to the list how I've fixed my issues just to help future ldap administrators whith the same problem, with isn't uncommon.
Thank you, anyway.
openldap-software@openldap.org
-
Howard Chu -
Jeronimo Zucco