There appears to be a limitation on results returned with the ipa cli can this be modified

Solution Unverified - Updated -

Issue

As part of some synchronization scripts to AD we are writing, we'd like to use the IPA tools instead of going into the IPA schema directly. However, no matter how the IPA LDAP server is setup as far as search limits, it appears the IPA tools are limited to 2000 results. This makes user / group enumeration in large environments impossible with the shipped tools.

# ipa config-mod --searchrecordslimit=0
  Max. username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain for new users: example.com
  Search time limit: 60
  Search size limit: 0
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: TRUE
  Certificate Subject base: O=EXAMPLE.COM
  Password Expiration Notification (days): 4

Looking at dse.ldif, nsslapd-sizelimit is still 2000. So I'm not entirely sure what "ipa config-mod --searchrecordslimit=0" does but it doesn't seem to be adjusting the underlying SLAPD settings.

Can this setting be changed manually and still get RH support? Is this a bug?

Environment

  • Red Hat Enterprise Linux 6.2
  • IPA

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.