[Fedora-directory-devel] Administrative limit exceeded with no results returned
Rich Megginson
rmeggins at redhat.com
Thu Sep 25 16:10:52 UTC 2008
Graham Leggett wrote:
> Hi all,
>
> I am having some sudden bizarre behaviour from fedora-ds-1.1.2-1.fc6.
>
> The following query, logged in as a specific user created for our
> mailserver, has suddenly since this morning returned the error
> "Administrative limit exceeded":
>
> '(&(associatedDomain=imausa.net)(!(associatedDomain=rachel.example.com)))'
>
>
> When the exact same query is made using the Directory Manager, it
> returns zero records returned, which is correct (no entries exist in
> the directory called imausa.net).
>
> According to the documentation for the error message "Administrative
> limit exceeded", this error will be thrown when more than by default
> 1000 rows are returned during a query by a user other than the
> Directory Manager.
Not exactly. You are most likely hitting the look through limit. Is
associatedDomain indexed for equality? Are there more than 1000 entries
that have the associatedDomain attribute? In order to satisfy the NOT
filter (!) the database has to look through all of the records in the
database.
See http://tinyurl.com/5yjk6m
Directory Manager is immune to look through limits and other such
limits. That's why the search succeeds as Directory Manager.
You can set specific look through limits and other limits for individual
or groups of users - see http://tinyurl.com/2sy8bl
>
> When I last looked though, zero records was well less than 1000, and I
> am completely stumped.
>
> Trying a domain that is hosted in this server, the query returns one
> single record, as expected, as the Directory Manager user.
>
> Trying the same query as the specific user created for our mailserver,
> we again get "Administrative limit exceeded".
>
> Has anybody encountered and error like this before?
>
> In answer to "what's changed recently", the number of records in the
> LDAP server was increased from just over 1000 records to around 7000
> records, although I cannot be sure if this is related.
That is most definitely the culprit.
> The records have nothing whatsoever to do with the objects being
> queried by our mailserver in this case.
It doesn't matter, since they exist in the same database and have to be
"looked through".
>
> Regards,
> Graham
> --
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-devel mailing list
> Fedora-directory-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20080925/737939a2/attachment.bin>
More information about the Fedora-directory-devel
mailing list