Graham Leggett wrote:
Hi all,
I am having some sudden bizarre behaviour from fedora-ds-1.1.2-1.fc6.
The following query, logged in as a specific user created for our
mailserver, has suddenly since this morning returned the error
"Administrative limit exceeded":
'(&(associatedDomain=imausa.net)(!(associatedDomain=rachel.example.com)))'
When the exact same query is made using the Directory Manager, it
returns zero records returned, which is correct (no entries exist in
the directory called
imausa.net).
According to the documentation for the error message "Administrative
limit exceeded", this error will be thrown when more than by default
1000 rows are returned during a query by a user other than the
Directory Manager.
Not exactly. You are most likely hitting the look through
limit. Is
associatedDomain indexed for equality? Are there more than 1000 entries
that have the associatedDomain attribute? In order to satisfy the NOT
filter (!) the database has to look through all of the records in the
database.
See
http://tinyurl.com/5yjk6m
Directory Manager is immune to look through limits and other such
limits. That's why the search succeeds as Directory Manager.
You can set specific look through limits and other limits for individual
or groups of users - see
http://tinyurl.com/2sy8bl
When I last looked though, zero records was well less than 1000, and I
am completely stumped.
Trying a domain that is hosted in this server, the query returns one
single record, as expected, as the Directory Manager user.
Trying the same query as the specific user created for our mailserver,
we again get "Administrative limit exceeded".
Has anybody encountered and error like this before?
In answer to "what's changed recently", the number of records in the
LDAP server was increased from just over 1000 records to around 7000
records, although I cannot be sure if this is related.
That is most definitely the
culprit.
The records have nothing whatsoever to do with the objects being
queried by our mailserver in this case.
It doesn't matter, since they exist in
the same database and have to be
"looked through".
Regards,
Graham
--
------------------------------------------------------------------------
--
Fedora-directory-devel mailing list
Fedora-directory-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-devel