There appears to be a limitation on results returned with the ipa cli can this be modified
Issue
As part of some synchronization scripts to AD we are writing, we'd like to use the IPA tools instead of going into the IPA schema directly. However, no matter how the IPA LDAP server is setup as far as search limits, it appears the IPA tools are limited to 2000 results. This makes user / group enumeration in large environments impossible with the shipped tools.
# ipa config-mod --searchrecordslimit=0
Max. username length: 32
Home directory base: /home
Default shell: /bin/sh
Default users group: ipausers
Default e-mail domain for new users: example.com
Search time limit: 60
Search size limit: 0
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: TRUE
Certificate Subject base: O=EXAMPLE.COM
Password Expiration Notification (days): 4
Looking at dse.ldif, nsslapd-sizelimit is still 2000. So I'm not entirely sure what "ipa config-mod --searchrecordslimit=0" does but it doesn't seem to be adjusting the underlying SLAPD settings.
Can this setting be changed manually and still get RH support? Is this a bug?
Environment
- Red Hat Enterprise Linux 6.2
- IPA
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
