389 Directory Server Administrative Limit Exceeded error?

Question

I am trying to use 389 ds with large amounts of data as children of entries. I have tried doing a search on these entries using ldapsearch but I keep getting the following error:

result: 11 Administrative limit exceeded

When I went to browse these entries using the server console application it said to create a "Browsing Index". I did this, and I can now view these entries inside the Server Console application however I still can not execute the ldapsearch.

I tried to delete the parent entry of all of these children using the Server Console application but it gives me the same error as the search:

Administrative limit exceeded.

I have set the "nssizelimit" attribute to -1 in config. I have also set "nslookthroughlimit" to -1 in config but I am still getting the same errors.

How can I configure my 389 ds (CentOS ds) server to stop these errors?

Answer 1

From what I understood, you are not able to get all entries. Looks like your are hitting admin limit exceeded.

If you want to search from a non-cn=Directory manager user. you need to add some attributes to user like below.

/usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: uid=test2,ou=People,dc=example,dc=com
changetype: modify
add: nssizelimit
nssizelimit: -1
-
add: nslookthroughlimit
nslookthroughlimit: -1

Answer 2

OpenLDAP have two configuration modes:

add to slapd.conf (static mode):

sizelimit unlimited

add '/path-to/cn=config/olcDatabase={-1}frontend.ldif' (dynamic mode):

olcSizeLimit: unlimited

selective limits can be done by 'limits' option for slapd.conf.

If this not help, you should't tag question with 'openldap'.

Answer 3

$ ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: uid=test2,ou=People,dc=example,dc=com
changetype: modify
add: nssizelimit
nssizelimit: -1
-
add: nslookthroughlimit
nslookthroughlimit: -1

This solution worked for me in case of non-admin user performing ldapsearch