Linux LDAP getent passwd uidNumber Not Returning a Result

Monday, January 28, 2013

This particular LDAP server contains about 24,000 entries. The user POSIX uidNumbers are all over the place but many of them are above 10,000. On a client server that can successfully talk to the LDAP server, I am unable to run getent passwd uidNumber to lookup a user via their uidNumber. getent passwd uid works and after running getent passwd uid I can run getent passwd uidNumber of that same user and get a result.

For example, if user jbond has uidNumber 20000 and I run getent passwd 20000 on a client server that can talk to the LDAP server, I get no result. I will only get a result if I run getent passwd jbond before hand. Each time I run getent passwd 20000 without first looking up the uid, the Directory Server access log shows the following:

[23/Jan/2013:09:34:04 -0600] conn=24 op=3 SRCH base="dc=example,dc=com" scope=2 filter="(&(uidNumber=20000)(objectClass=posixAccount))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbprincipalname cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krblastpwdchange krbpasswordexpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap"
[23/Jan/2013:09:34:05 -0600] conn=24 op=3 RESULT err=11 tag=101 nentries=0 etime=1 notes=U

The useful part of the log above is err=11 which means the Administrative Limit was reached.

By default, Red Hat Directory Server 9 (389 Directory Server also applies) has a look through limit of 5000 set by attribute nsslapd-lookthroughlimit in cn=config,cn=ldbm database,cn=plugins,cn=config. When running the getent passwd 20000 command it has to look through well over 5000 users to find uidNumber 20000. So, the solution is to simply increase the nsslapd-lookthroughlimit attribute to be over the total amount of entries in the LDAP database.

LDAP Server Default Settings

cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-lookthroughlimit: 5000

Modify the nsslapd-lookthroughlimit Attribute

Type the following command:

ldapmodify -x -D "cn=Directory Manager" -W -S errors.txt -c

Then copy the following into the shell and hit Enter twice or Ctrl + D:

dn: cn=config,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-lookthroughlimit
nsslapd-lookthroughlimit: 100000

This is a global change, but it can be applied on a per user basis. So, for a more restrictive use case, you could create an LDAP user to bind against and set the nsslapd-lookthroughlimit attribute specifically for that user. Then only users binding against LDAP with that LDAP user have the ability to look through over 5000 users.

References

How to count large number of attribute entries using an anonymous bind



comments powered by Disqus