I know there are limits in LDAP queries, therefore I setup a user without limits. But even so I'm facing "Administrative Limit exceeded" error.
I include below an extract of the database configuration. I'm using the user cn=checkrepl,cn=users,dc=domain,dc=es.
esauro@ubuntu:~$ ldapsearch -x -W -D 'cn=admin,cn=config' -b 'cn=config' -h openldap1 'olcDatabase={1}hdb'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: olcDatabase={1}hdb
# requesting: ALL
#
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=domain,dc=es
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=domain,dc=es" write by dn.subtree="cn=Managers,dc=domain,
dc=es" read by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=domain,dc=es" write by * read
olcLastMod: TRUE
olcLimits: {2}dn="cn=checkrepl,cn=Users,dc=domain,dc=es" time.soft=unlimited time
.hard=unlimited size.soft=unlimited size.hard=unlimited
olcSizeLimit: size=100000 size.unchecked=100000
olcMirrorMode: TRUE
olcMonitoring: TRUE
olcDbCacheSize: 200000
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 536870912 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
However whenever I query the directory and, if the result is big, I get the error, no matter whether or not I include the flags to limit the time and the size of the query.
esauro@ubuntu:~$ ldapsearch -z 40 -l 1000 -x -W -D 'cn=checkrepl,cn=users,dc=domain,dc=es' -b 'dc=domain,dc=es' -h openldap1 'uid=al*' dn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=es> with scope subtree
# filter: uid=al*
# requesting: dn
#
# search result
search: 2
result: 11 Administrative limit exceeded
# numResponses: 1
I'm using ldap-utils (version 2.4.23 and 2.4.28) as client and openldap (2.4.23) as server
EDIT: Another excerpt from the config including the indexes:
olcDbIndex: objectClass eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid,uniqueMember eq
olcDbIndex: uidNumber,gidNumber eq,pres
olcDbIndex: sambaSID,sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType,sambaSIDList eq
olcDbIndex: entryCSN,entryUUID eq
olcDbIndex: ou,cn eq
olcDbIndex: mail,maildrop eq
EDIT 2: This exact configuration (Copy&Paste) is working perfectly in another LDAP using a more recent version of LDAP.
Best Answer
You have
olcDbCacheSize: 200000(and a 512MB cache) indicating you may have a high number of directory entries.You have
size.unchecked=100000which places limits on queries for attributes with no indexes.There are no
olcDbIndexattributes in your config [extract], so therearemay be no indexes for searching.If you have more than 100,000 entries, your search will need a full directory scan, and exceed its default
size.uncheckedlimits, regardless of how many actually matchuid=al*.You really need indexes. Try running with
olcLoglevel: stats index, and check your syslog configuration to make sure the facility (local4 is default) goes somewhere useful. Add indexes, including at least your common queries, and sub(string) indexes for uid, and runslapindex -vto update,slapdshould not be running during the index generation.http://www.openldap.org/doc/admin24/tuning.html