Monday, January 28, 2013
The following post details the troubleshooting steps I took - and the solution - to figure out why command
getent passwd uidNumber was not returning a result.
This particular LDAP server contains about 24,000 entries. The user POSIX uidNumbers are all over the place but many of them are above 10,000. On a client server that can successfully talk to the LDAP server, I am unable to run
getent passwd uidNumber to lookup a user via their uidNumber.
getent passwd uid works and after running
getent passwd uid I can run
getent passwd uidNumber of that same user and get a result.
For example, if user jbond has uidNumber 20000 and I run
getent passwd 20000 on a client server that can talk to the LDAP server, I get no result. I will only get a result if I run
getent passwd jbond before hand. Each time I run
getent passwd 20000 without first looking up the uid, the Directory Server access log shows the following:
[23/Jan/2013:09:34:04 -0600] conn=24 op=3 SRCH base="dc=example,dc=com" scope=2 filter="(&(uidNumber=20000)(objectClass=posixAccount))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbprincipalname cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krblastpwdchange krbpasswordexpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap" [23/Jan/2013:09:34:05 -0600] conn=24 op=3 RESULT err=11 tag=101 nentries=0 etime=1 notes=U
The useful part of the log above is err=11 which means the Administrative Limit was reached.
By default, Red Hat Directory Server 9 (389 Directory Server also applies) has a look through limit of 5000 set by attribute nsslapd-lookthroughlimit in cn=config,cn=ldbm database,cn=plugins,cn=config.
cn=config,cn=ldbm database,cn=plugins,cn=config nsslapd-lookthroughlimit: 5000
getent passwd 20000 command has to look through well over 5000 users to find uidNumber 20000. So, the solution is to simply increase the nsslapd-lookthroughlimit attribute to be over the total amount of entries in the LDAP database.
From a Linux server that can talk to the LDAP server, type the following command:
ldapmodify -x -D "cn=Directory Manager" -W -S errors.txt -c
Then copy the following into the shell and hit Enter twice or Ctrl + D:
dn: cn=config,cn=ldbm database,cn=plugins,cn=config changetype: modify replace: nsslapd-lookthroughlimit nsslapd-lookthroughlimit: 100000
This is a global change, but it can be applied on a per user basis. So, for a more restrictive use case, you could create an LDAP user to bind against and set the nsslapd-lookthroughlimit attribute specifically for that user. Then only users binding against LDAP with that LDAP user have the ability to look through over 5000 users.