ThorneLabs

Linux LDAP getent passwd uidNumber Not Returning a Result

• Updated March 17, 2019


Linux command getent passwd uidNumber was not returning a result. This particular LDAP server contained about 24,000 entries. The user POSIX uidNumbers were all over the place but many of them were above 10,000. On a client server that could successfully talk to the LDAP server, I was unable to run getent passwd uidNumber to lookup a user via their uidNumber. getent passwd uid worked and after running getent passwd uid I could run getent passwd uidNumber of that same user and get a result.

For example, if user jbond has uidNumber 20000 and I run getent passwd 20000 on a client server that can talk to the LDAP server, I get no result. I will only get a result if I run getent passwd jbond before hand. Each time I run getent passwd 20000 without first looking up the uid, the Directory Server access log shows the following:

[23/Jan/2013:09:34:04 -0600] conn=24 op=3 SRCH base="dc=example,dc=com" scope=2 filter="(&(uidNumber=20000)(objectClass=posixAccount))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbprincipalname cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krblastpwdchange krbpasswordexpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap"
[23/Jan/2013:09:34:05 -0600] conn=24 op=3 RESULT err=11 tag=101 nentries=0 etime=1 notes=U

The useful part of the log above is err=11 which means the Administrative Limit was reached.

By default, Red Hat Directory Server 9 (389 Directory Server also applies) has a look through limit of 5000 set by attribute nsslapd-lookthroughlimit in cn=config,cn=ldbm database,cn=plugins,cn=config.

cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-lookthroughlimit: 5000

The getent passwd 20000 command has to look through well over 5000 users to find uidNumber 20000. So, the solution is to simply increase the nsslapd-lookthroughlimit attribute to be over the total amount of entries in the LDAP database.

Modify the nsslapd-lookthroughlimit Attribute

From a Linux server that can talk to the LDAP server, type the following command:

ldapmodify -x -D "cn=Directory Manager" -W -S errors.txt -c

Then copy the following into the shell and hit Enter twice or Ctrl + D:

dn: cn=config,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-lookthroughlimit
nsslapd-lookthroughlimit: 100000

This is a global change, but it can be applied on a per user basis. So, for a more restrictive use case, you could create an LDAP user to bind against and set the nsslapd-lookthroughlimit attribute specifically for that user. Then only users binding against LDAP with that LDAP user have the ability to look through over 5000 users.

References

If you found this post useful and would like to help support this site - and get something for yourself - sign up for any of the services listed below through the provided affiliate links. I will receive a referral payment from any of the services you sign-up for.

Get faster shipping and more with Amazon Prime: About to order something from Amazon but want to get more value out of the money you would normally pay for shipping? Sign-up for a free 30-day trial of Amazon Prime to get free two-day shipping, access to thousands of movies and TV shows, and more.

Thanks for reading and take care.