[Freeipa-users] winsync agreement wipes IPA users

Rich Megginson rmeggins at redhat.com
Thu Sep 27 15:49:54 UTC 2012 

On 09/25/2012 09:46 PM, Rob Crittenden wrote:
> Steven Jones wrote:
>> Hi,
>>
>> I dont have a ldapmodify command for changing something in AD.
>>
>> I have increased the only scope I/we know about which is the return 
>> of objects from a search inside the AD gui but that might be specific 
>> to that view tool.  That is 2000 by default, Ive set 40000, I am 
>> testing it now, if that doesn't work....
>>
>> Our best AD person is currently researching to see if its even 
>> possible to alter that hard code in AD.  The only way he can see is 
>> using a  windows/ad specific command line command to modify the 
>> internals of AD but he's never seen or read about doing it for this 
>> attribute.
>
> Rich knows more about this than me, so maybe he knows what value 
> you're changing, but I don't. Where exactly in the AD gui are you 
> changing the value to 40k?

There are limits you can set that apply only to the GUI, and there are 
limits you can set which apply to LDAP.  It's possible you set some 
limits which only apply to the windows GUI.

http://support.microsoft.com/kb/315071

I don't see any setting which directly corresponds to sizelimit.  The 
only ones that control the size of the result set are: MaxPageSize, 
which seems only to apply to paged result searches; MaxTempTableSize, 
which sounds something like our idlistscanlimit and could be applicable 
here; and MaxResultSetSize, which could also be applicable here.

Do you have more than 10000 entries in your active directory?  Might AD 
be attempting to return more than 262,144 bytes?



>
> regards
>
> rob
>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Wednesday, 26 September 2012 1:31 p.m.
>> To: Rich Megginson
>> Cc: Steven Jones; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users
>>
>> Rich Megginson wrote:
>>> On 09/25/2012 03:34 PM, Steven Jones wrote:
>>>> Hi,
>>>>
>>>> I have set the filter size as 20000 for the user and it makes no
>>>> difference.
>>> Where did you set this?  In IPA?  In AD?  If so, where? How?
>>> What does "filter size" mean?  To me, it means "the size of an LDAP
>>> search filter in an LDAP search request" not "the maximum number of
>>> entries returned by a search".
>>
>> The more details you can provide on what you did the better. This might
>> include the exact ldapmodify command, where you entered it in AD, the
>> attribute names, whichever is applicable.
>>
>> regards
>>
>> rob
>>
>>
>

More information about the Freeipa-users mailing list