Linux LDAP getent passwd uidNumber Not Returning a Result

and updated May 15, 2017

The following post details the troubleshooting steps I took - and the solution - to figure out why command getent passwd uidNumber was not returning a result.

Overview

This particular LDAP server contains about 24,000 entries. The user POSIX uidNumbers are all over the place but many of them are above 10,000. On a client server that can successfully talk to the LDAP server, I am unable to run getent passwd uidNumber to lookup a user via their uidNumber. getent passwd uid works and after running getent passwd uid I can run getent passwd uidNumber of that same user and get a result.

For example, if user jbond has uidNumber 20000 and I run getent passwd 20000 on a client server that can talk to the LDAP server, I get no result. I will only get a result if I run getent passwd jbond before hand. Each time I run getent passwd 20000 without first looking up the uid, the Directory Server access log shows the following:

[23/Jan/2013:09:34:04 -0600] conn=24 op=3 SRCH base="dc=example,dc=com" scope=2 filter="(&(uidNumber=20000)(objectClass=posixAccount))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbprincipalname cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krblastpwdchange krbpasswordexpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap"
[23/Jan/2013:09:34:05 -0600] conn=24 op=3 RESULT err=11 tag=101 nentries=0 etime=1 notes=U

The useful part of the log above is err=11 which means the Administrative Limit was reached.

By default, Red Hat Directory Server 9 (389 Directory Server also applies) has a look through limit of 5000 set by attribute nsslapd-lookthroughlimit in cn=config,cn=ldbm database,cn=plugins,cn=config.

cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-lookthroughlimit: 5000

The getent passwd 20000 command has to look through well over 5000 users to find uidNumber 20000. So, the solution is to simply increase the nsslapd-lookthroughlimit attribute to be over the total amount of entries in the LDAP database.

Modify the nsslapd-lookthroughlimit Attribute

From a Linux server that can talk to the LDAP server, type the following command:

ldapmodify -x -D "cn=Directory Manager" -W -S errors.txt -c

Then copy the following into the shell and hit Enter twice or Ctrl + D:

dn: cn=config,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-lookthroughlimit
nsslapd-lookthroughlimit: 100000

This is a global change, but it can be applied on a per user basis. So, for a more restrictive use case, you could create an LDAP user to bind against and set the nsslapd-lookthroughlimit attribute specifically for that user. Then only users binding against LDAP with that LDAP user have the ability to look through over 5000 users.

References