Hello Florence. Going to check that tomorrow and add these lines.
Thanks for this first answer. Lune Le mer. 19 déc. 2018 à 20:27, Florence Blanc-Renaud <f...@redhat.com> a écrit : > On 12/19/18 12:15 PM, lune voo via FreeIPA-users wrote: > > Hello everyone. > > > > I send you this mail because I have a problem with an ipa > > group-remove-member command which ends up with the following error > message : > > "Limits exceeded for this query". > > > > I'm using IPA 3.0.0. > > The group for which I want to remove a user contains other groups also > > (281). > > > > I was wondering how I could solve this problem ? > > > > I tried to play with the configuration as described here : > > > https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/searches.html > > > > I tried to increase both limits but it did not solve the problem. > > I guess as I'm not doing a search but group remove member, this > > parameters are not used maybe ? > > > > Thanks for your help o/ > > > > Best regards. > > > > Lune. > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > Hi, > > when you are running ipa group-remove-member, are you authenticated as > admin or as another user? > > Can you see in 389-ds logs which operation is triggering the size-limit > error? In /var/log/dirsrv/slapd-domXXX/access, you will find a line with > RESULT err=4, note the conn=xx and op=yy values, then look above for a > line with conn=xx op=yy SRCH and finally another line above with conn=xx > op=0 BIND. Please paste the 3 lines for analysis. > > The size limits are configured at multiple levels: > - at IPA level: with ipa config-show, you can see the settings that IPA > is using for all the queries triggered by ipa *-find commands. > - at 389-ds level: the attribute nsslapd-sizelimit of the entry > cn=config is also limiting the number of returned entries > - at 389-ds level: the attributes nsSizeLimit and nsLookThroughLimit of > the entry cn=anonymous-limits,cn=etc,$BASEDN limit the number of > returned entries for anonymous queries > - it is also possible to configure per-user limits, for instance in > uid=user,cn=users,cn=accounts,$BASEDN with the attributes nsSizeLimit > nsLookThroughLimit nsPagedLookThroughLimit and nsPagedSizeLimit > > So we need to understand which user is performing the ipa > group-remove-member command, and which limit is triggering the error. > > flo >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
