Bug#378832: [Pkg-openldap-devel] Bug#378832: limits directive is not working in slapd.conf

Alexander Samad alex at samad.com.au
Wed Jul 19 21:42:12 UTC 2006 

On Wed, Jul 19, 2006 at 09:14:41PM +0200, Matthijs Mohlmann wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Quanah Gibson-Mount wrote:
> >> Package: slapd
> >> Version: 2.3.24-1
> >> Severity: important
> >>
> >> Hi
> >>
> >> I have tried using
> >>
> >> limits users size=1000
> >>
> >> but when I try to ldapsearch I get an error 4 size limit.
> >>
> >> when I change it to
> >>
> >> sizelimit 1000
> >>
> >> and retry the ldapsearch it works.  I don't want to open up the limits
> >> to every on
> >>
> > 
> I've tested this and I can confirm that it doesn't work for me too.
> Where did you place the limits directive in the configuration ?
I placed it just after the schema includes. I also tried it in a backend
definition but that failed

> 
> > I would suggest sending OpenLDAP usage questions to
> > openldap-software at openldap.org.
> > 
> > I will note that the limits command works just fine for me in the areas
> > I use it, for example:
> > 
> > # Let the ispace prinicpal have a search of 5000 entries
> > limits dn.exact="cn=abcd,cn=Service,cn=Applications,dc=stanford,dc=edu"
> > time.soft=unlimited time.hard=unlimited size.soft=5000 size.hard=5000

 I initially tried it with a dn.exact as well, but just specifying
size=1000 and different derivations, but none of them worked

> > 
> I've tried this example on a freshly install of slapd but I still can't
> get that to work. Do you have some pointers to get some more information
> about the parameter.
> 
> I tried this:
> limits users time.soft=unlimited time.hard=unlimited size.soft=1 size.hard=1
> limits anonymous time.soft=unlimited time.hard=unlimited size.soft=1
> size.hard=1
> limits dn.exact="cn=test,dc=cacholong,dc=nl" time.soft=unlimited
> time.hard=unlimited size.soft=1 size.hard=1
> 
> Running slapd -d 64 shows that the configuration file is ok. And that
> the directive is allowed there.

I am using slapd 2.3.24-1

> 
> But neither of these example work for me... probably I have a stupid
> thingie in the configuration file but I couldn't find it. Attached my
> slapd.conf.
> > 
> > --Quanah
> 
> Regards,
> 
> Matthijs Mohlmann
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFEvoSg2n1ROIkXqbARAk0HAJ4uJFnFwB+Z7k8bM77ZHdpFNLmPoQCfZbwY
> 1A4IWY6R2e4OfDR5pBDYiuo=
> =40Jp
> -----END PGP SIGNATURE-----

> # This is the main slapd configuration file. See slapd.conf(5) for more
> # info on the configuration options.
> 
> #######################################################################
> # Global Directives:
> 
> # Features to permit
> #allow bind_v2
> 
> # Schema and objectClass definitions
> include         /etc/ldap/schema/core.schema
> include         /etc/ldap/schema/cosine.schema
> include         /etc/ldap/schema/nis.schema
> include         /etc/ldap/schema/inetorgperson.schema
> 
> # Schema check allows for forcing entries to
> # match schemas for their objectClasses's
> schemacheck     on
> 
> # Where the pid file is put. The init.d script
> # will not stop the server if you change this.
> pidfile         /var/run/slapd/slapd.pid
> 
> # List of arguments that were passed to the server
> argsfile        /var/run/slapd.args
> 
> # Read slapd.conf(5) for possible values
> loglevel        0
> 
> # Where the dynamically loaded modules are stored
> modulepath	/usr/lib/ldap
> moduleload	back_bdb
> 
> # The maximum number of entries that is returned for a search operation
> sizelimit 500
> 
> # The tool-threads parameter sets the actual amount of cpu's that is used
> # for indexing.
> tool-threads 1
> 
> # Limits
> limits dn.exact="cn=test,dc=cacholong,dc=nl" time.hard=unlimited time.soft=unlimited size.hard=1 size.soft=1
> 
> #######################################################################
> # Specific Backend Directives for bdb:
> # Backend specific directives apply to this backend until another
> # 'backend' directive occurs
> backend		bdb
> checkpoint 512 30
> 
> #######################################################################
> # Specific Backend Directives for 'other':
> # Backend specific directives apply to this backend until another
> # 'backend' directive occurs
> #backend		<other>
> 
> #######################################################################
> # Specific Directives for database #1, of type bdb:
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> database        bdb
> 
> # The base of your directory in database #1
> suffix          "dc=cacholong,dc=nl"
> 
> # Where the database file are physically stored for database #1
> directory       "/var/lib/ldap"
> 
> # For the Debian package we use 2MB as default but be sure to update this
> # value if you have plenty of RAM
> dbconfig set_cachesize 0 2097152 0
> 
> # Sven Hartge reported that he had to set this value incredibly high
> # to get slapd running at all. See http://bugs.debian.org/303057
> # for more information.
> 
> # Number of objects that can be locked at the same time.
> dbconfig set_lk_max_objects 1500
> # Number of locks (both requested and granted)
> dbconfig set_lk_max_locks 1500
> # Number of lockers
> dbconfig set_lk_max_lockers 1500
> 
> # Indexing options for database #1
> index           objectClass eq
> 
> # Save the time that the entry gets modified, for database #1
> lastmod         on
> 
> # Where to store the replica logs for database #1
> # replogfile	/var/lib/ldap/replog
> 
> # The userPassword by default can be changed
> # by the entry owning it if they are authenticated.
> # Others should not be able to see it, except the
> # admin entry below
> # These access lines apply to database #1 only
> access to attrs=userPassword
>         by dn="cn=admin,dc=cacholong,dc=nl" write
>         by anonymous auth
>         by self write
>         by * none
> 
> # Ensure read access to the base for things like
> # supportedSASLMechanisms.  Without this you may
> # have problems with SASL not knowing what
> # mechanisms are available and the like.
> # Note that this is covered by the 'access to *'
> # ACL below too but if you change that as people
> # are wont to do you'll still need this if you
> # want SASL (and possible other things) to work 
> # happily.
> access to dn.base="" by * read
> 
> # The admin dn has full write access, everyone else
> # can read everything.
> access to *
>         by dn="cn=admin,dc=cacholong,dc=nl" write
>         by * read
> 
> # For Netscape Roaming support, each user gets a roaming
> # profile for which they have write access to
> #access to dn=".*,ou=Roaming,o=morsnet"
> #        by dn="cn=admin,dc=cacholong,dc=nl" write
> #        by dnattr=owner write
> 
> #######################################################################
> # Specific Directives for database #2, of type 'other' (can be bdb too):
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> #database        <other>
> 
> # The base of your directory for database #2
> #suffix		"dc=debian,dc=org"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20060720/0518c196/attachment.pgp

More information about the Pkg-openldap-devel mailing list