depending on the filters used, an error 11 / err=11 / ADMIN_LIMIT_EXCEEDED
/ "Administrative limit exceeded" could be returned, and depending on the
LDAP client, it could be an important error.
it may be a good idea to set a DN for nsslapd-anonlimitsdn , see
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
with its associated/dedicated values different from the global settings,
for the attributes nsIdleTimeout , nsTimeLimit and nsSizeLimit
or set a special user entry for those BINDs , with the same 3 user
specified idletimeout, time and size limits to avoid tuning up the general
setting of the size limit.
M.
On Tue, Oct 19, 2021 at 10:44 AM Michael Starling <mlstarling31(a)hotmail.com>
wrote:
Good afternoon.
I have a few questions about anon binds.
In theory if you have 3000 user objects in the directory and anonymous
binds have a limit returning 2000 entries can you still use anonymous binds
in LDAP client configurations without issues? Or does something else take
place when a user logs in that only requires the LDAP clients (sssd or
nscld) to parse that specific user dn and attributes?
Typically, with OpenLDAP I have created a "bind" user that can read all
user/group objects with limited attributes and turned off anon binds so I
don't fully understand the behavior of anonymous binds.
Mike
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure