Re: [Fedora-directory-devel] Administrative limit exceeded with no results returned

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Graham Leggett wrote:

Hi all,

I am having some sudden bizarre behaviour from fedora-ds-1.1.2-1.fc6.
The following query, logged in as a specific user created for our mailserver, has suddenly since this morning returned the error "Administrative limit exceeded":
'(&(associatedDomain=imausa.net)(!(associatedDomain=rachel.example.com)))'
When the exact same query is made using the Directory Manager, it returns zero records returned, which is correct (no entries exist in the directory called imausa.net).
According to the documentation for the error message "Administrative limit exceeded", this error will be thrown when more than by default 1000 rows are returned during a query by a user other than the Directory Manager.
Not exactly. You are most likely hitting the look through limit. Is associatedDomain indexed for equality? Are there more than 1000 entries that have the associatedDomain attribute? In order to satisfy the NOT filter (!) the database has to look through all of the records in the database. 
See http://tinyurl.com/5yjk6m
Directory Manager is immune to look through limits and other such limits. That's why the search succeeds as Directory Manager. You can set specific look through limits and other limits for individual or groups of users - see http://tinyurl.com/2sy8bl
When I last looked though, zero records was well less than 1000, and I am completely stumped.
Trying a domain that is hosted in this server, the query returns one single record, as expected, as the Directory Manager user.
Trying the same query as the specific user created for our mailserver, we again get "Administrative limit exceeded". 

Has anybody encountered and error like this before?
In answer to "what's changed recently", the number of records in the LDAP server was increased from just over 1000 records to around 7000 records, although I cannot be sure if this is related. 
That is most definitely the culprit.
The records have nothing whatsoever to do with the objects being queried by our mailserver in this case.
It doesn't matter, since they exist in the same database and have to be "looked through". 

Regards,
Graham
--
------------------------------------------------------------------------

--
Fedora-directory-devel mailing list
Fedora-directory-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-devel mailing list
Fedora-directory-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux