-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear list members,
Is there a mechanism to control acces limits in openldap 2.3 similar to what can be achieved with the openldap 2.4 limits directive (http://www.openldap.org/doc/admin24/limits.html)?
Appart from sizelimit and timelimit, which are not dn specific and therefore do not allow the same fine tuning as the limits directive, I haven't found anything. Maybe I missed it?
Thanks, - -- Oliver Henriot B.Sc. Ph.D. | Technicien de Maintenance Moyens Informatiques et Multimédia | UMS MI2S | http://mi2s.imag.fr/ Domaine universitaire BP53 | 38041 Grenoble cedex 9 | France tel.: +33 4 76 51 43 48 | fax: +33 4 76 51 47 15
--On Monday, March 02, 2009 4:22 PM +0100 Oliver Henriot Oliver.Henriot@imag.fr wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear list members,
Is there a mechanism to control acces limits in openldap 2.3 similar to what can be achieved with the openldap 2.4 limits directive (http://www.openldap.org/doc/admin24/limits.html)?
Appart from sizelimit and timelimit, which are not dn specific and therefore do not allow the same fine tuning as the limits directive, I haven't found anything. Maybe I missed it?
The "limits" directive is also part of OpenLDAP 2.3.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear Quanah and list members,
Indeed, man slapd.conf should have my first guess. Thank you for pointing it out.
Nonetheless, I can't get the limits to work. In my master slapd.conf I have :
limits dn.exact="cn=repuser,dc=mydom,dc=fr" size.soft=unlimited size.hard=unlimited size.unchecked=unlimited
In my replica slapd.conf syncrepl section I have :
bindmethod=simple binddn="cn=repuser,dc=mydom,dc=fr" credentials=secret updatedn="cn=repuser,dc=mydom,dc=fr"
However, when I try to sync the replica with the master, it stops after looking up 500 entries. I end up with an incomplete replica which never goes beyond the same point. The limit is confirmed by :
# grep be_search slapd.log | wc -l 500
in the replica log (I set loglevel to 16384 for this test). That, with the fact that I couldn't find the limits directive in the openldap documentation, is what made me wrongly presume that limits didn't work in openldap 2.3. Sorry for the confusion.
If I use "sizelimit unlimited" in my master slapd.conf the problem disappears without modifying any other parameter.
I presume it's my limits directive that has a problem. I don't think it's the user dn, the user exists in the master directory :
$ ldapsearch -x -H ldaps://master.mydom.fr:636/ -b "dc=mydom,dc=fr" -LLL "(cn=repuser)" dn dn: cn=repuser,dc=mydom,dc=fr
and anyway it wouldn't work at all, not just for 500 entries.
So why are default limits overriding my limits? I really can't work out what I'm doing wrong. Any help would be greatly appreciated.
Thanks,
Dans sa grande sagesse, Quanah Gibson-Mount a écrit, le 02.03.2009 18:45 :
--On Monday, March 02, 2009 4:22 PM +0100 Oliver Henriot Oliver.Henriot@imag.fr wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear list members,
Is there a mechanism to control acces limits in openldap 2.3 similar to what can be achieved with the openldap 2.4 limits directive (http://www.openldap.org/doc/admin24/limits.html)?
Appart from sizelimit and timelimit, which are not dn specific and therefore do not allow the same fine tuning as the limits directive, I haven't found anything. Maybe I missed it?
The "limits" directive is also part of OpenLDAP 2.3.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
- -- Oliver Henriot B.Sc. Ph.D. | Technicien de Maintenance Moyens Informatiques et Multimédia | UMS MI2S | http://mi2s.imag.fr/ Domaine universitaire BP53 | 38041 Grenoble cedex 9 | France tel.: +33 4 76 51 43 48 | fax: +33 4 76 51 47 15
Oliver Henriot wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear Quanah and list members,
Indeed, man slapd.conf should have my first guess. Thank you for pointing it out.
Nonetheless, I can't get the limits to work. In my master slapd.conf I have :
limits dn.exact="cn=repuser,dc=mydom,dc=fr" size.soft=unlimited size.hard=unlimited size.unchecked=unlimited
Where did you put this statement? It's supposed to be in the database specific configuration. Also, did you check any configuration error message (use -d config)? OpenLDAP up to 2.3 ignores incorrect statements, rather than bailing out like 2.4 does.
p.
In my replica slapd.conf syncrepl section I have :
bindmethod=simple binddn="cn=repuser,dc=mydom,dc=fr" credentials=secret updatedn="cn=repuser,dc=mydom,dc=fr"
However, when I try to sync the replica with the master, it stops after looking up 500 entries. I end up with an incomplete replica which never goes beyond the same point. The limit is confirmed by :
# grep be_search slapd.log | wc -l 500
in the replica log (I set loglevel to 16384 for this test). That, with the fact that I couldn't find the limits directive in the openldap documentation, is what made me wrongly presume that limits didn't work in openldap 2.3. Sorry for the confusion.
If I use "sizelimit unlimited" in my master slapd.conf the problem disappears without modifying any other parameter.
I presume it's my limits directive that has a problem. I don't think it's the user dn, the user exists in the master directory :
$ ldapsearch -x -H ldaps://master.mydom.fr:636/ -b "dc=mydom,dc=fr" -LLL "(cn=repuser)" dn dn: cn=repuser,dc=mydom,dc=fr
and anyway it wouldn't work at all, not just for 500 entries.
So why are default limits overriding my limits? I really can't work out what I'm doing wrong. Any help would be greatly appreciated.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear Pierangelo and list members,
Mea culpa. I had put it in the global section (with the sizelimit directive), not in the database section. Sorry for taking up your time with such an obvious mistake and thank you ever so much for your help. It indeed works fine now.
Best regards,
Dans sa grande sagesse, Pierangelo Masarati a écrit, le 03.03.2009 09:39 :
Oliver Henriot wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear Quanah and list members,
Indeed, man slapd.conf should have my first guess. Thank you for pointing it out.
Nonetheless, I can't get the limits to work. In my master slapd.conf I have :
limits dn.exact="cn=repuser,dc=mydom,dc=fr" size.soft=unlimited size.hard=unlimited size.unchecked=unlimited
Where did you put this statement? It's supposed to be in the database specific configuration. Also, did you check any configuration error message (use -d config)? OpenLDAP up to 2.3 ignores incorrect statements, rather than bailing out like 2.4 does.
p.
In my replica slapd.conf syncrepl section I have :
bindmethod=simple binddn="cn=repuser,dc=mydom,dc=fr" credentials=secret updatedn="cn=repuser,dc=mydom,dc=fr"
However, when I try to sync the replica with the master, it stops after looking up 500 entries. I end up with an incomplete replica which never goes beyond the same point. The limit is confirmed by :
# grep be_search slapd.log | wc -l 500
in the replica log (I set loglevel to 16384 for this test). That, with the fact that I couldn't find the limits directive in the openldap documentation, is what made me wrongly presume that limits didn't work in openldap 2.3. Sorry for the confusion.
If I use "sizelimit unlimited" in my master slapd.conf the problem disappears without modifying any other parameter.
I presume it's my limits directive that has a problem. I don't think it's the user dn, the user exists in the master directory :
$ ldapsearch -x -H ldaps://master.mydom.fr:636/ -b "dc=mydom,dc=fr" -LLL "(cn=repuser)" dn dn: cn=repuser,dc=mydom,dc=fr
and anyway it wouldn't work at all, not just for 500 entries.
So why are default limits overriding my limits? I really can't work out what I'm doing wrong. Any help would be greatly appreciated.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it
- -- Oliver Henriot B.Sc. Ph.D. | Technicien de Maintenance Moyens Informatiques et Multimédia | UMS MI2S | http://mi2s.imag.fr/ Domaine universitaire BP53 | 38041 Grenoble cedex 9 | France tel.: +33 4 76 51 43 48 | fax: +33 4 76 51 47 15
openldap-technical@openldap.org