AW: [kolla] [train] [keystone] Number of User/Group entities returned by LDAP exceeded size limit

Albert Braden ozzzo at yahoo.com
Wed May 24 13:23:14 UTC 2023


 The Keystone documentation [1] appears to indicate that LDAP limitations can be worked around by enabling paging, using the page_size setting. Am I reading it wrong?

[1] https://docs.openstack.org/keystone/train/admin/configuration.html#identity-ldap-server-set-up     On Wednesday, May 24, 2023, 02:34:23 AM EDT, Kaster, Jörn <joern.kaster at epg.com> wrote:  
 
 #yiv6784134135 P {margin-top:0;margin-bottom:0;}Hello Albert,have seen your message on monday and think that it was replied personaly in the meantime. Anyway.I think this problem is not dedicated to the openstack services. The problem is caused by the ldap server. Which one do you use?Look in the documentation of the ldap server to configure a larger size limit.
greets from hereJörn
Von: Albert Braden <ozzzo at yahoo.com>
Gesendet: Dienstag, 23. Mai 2023 20:35
An: OpenStack Discuss <openstack-discuss at lists.openstack.org>
Betreff: Re: [kolla] [train] [keystone] Number of User/Group entities returned by LDAP exceeded size limit 

OUTSIDE-EPG!


Nobody replied to this Friday afternoon so I'm trying again:

On Friday, May 19, 2023, 09:29:17 AM EDT, Albert Braden <ozzzo at yahoo.com> wrote:


We have 2052 groups in our LDAP server. We recently started getting an error when we try to list groups:

$ os group list --domain AUTH.OURDOMAIN.COM
Number of User/Group entities returned by LDAP exceeded size limit. Contact your LDAP administrator. (HTTP 500)

I read the "Additional LDAP integration settings" section in [1] and then tried setting various values of page_size (10, 100, 1000) in the [ldap] section of keystone.conf but that didn't make a difference. What am I  missing?

[1] https://docs.openstack.org/keystone/train/admin/configuration.html#identity-ldap-server-set-up

Here's the stack trace:

2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application [req-198741c6-58b2-46b1-8622-bae1fc5c5280 d64c83e1ea954c368e9fe08a5d8450a1 47dc15c280c9436fadac4d41f1d54a64 - default default] Number of User/Group entities returned by LDAP exceeded size limit. Contact your LDAP administrator.: keystone.exception.LDAPSizeLimitExceeded: Number of User/Group entities returned by LDAP exceeded size limit. Contact your LDAP administrator.
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application Traceback (most recent call last):
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/keystone/identity/backends/ldap/common.py", line 996, in search_s
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    attrlist, attrsonly)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/keystone/identity/backends/ldap/common.py", line 689, in wrapper
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    return func(self, conn, *args, **kwargs)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/keystone/identity/backends/ldap/common.py", line 824, in search_s
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    attrsonly)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 870, in search_s
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 1286, in search_ext_s
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 1224, in _apply_method_s
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    return func(self,*args,**kwargs)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 864, in search_ext_s
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    return self.result(msgid,all=1,timeout=timeout)[1]
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 756, in result
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 760, in result2
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 767, in result3
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    resp_ctrl_classes=resp_ctrl_classes
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 774, in result4
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 340, in _ldap_call
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    reraise(exc_type, exc_value, exc_traceback)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 46, in reraise
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    raise exc_value
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 324, in _ldap_call
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    result = func(*args,**kwargs)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application ldap.SIZELIMIT_EXCEEDED: {'msgtype': 100, 'msgid': 2, 'result': 4, 'desc': 'Size limit exceeded', 'ctrls': []}
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application During handling of the above exception, another exception occurred:
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application Traceback (most recent call last):
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/flask/app.py", line 1813, in full_dispatch_request
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    rv = self.dispatch_request()
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/flask/app.py", line 1799, in dispatch_request
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    return self.view_functions[rule.endpoint](**req.view_args)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/flask_restful/__init__.py", line 480, in wrapper
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    resp = resource(*args, **kwargs)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/flask/views.py", line 88, in view
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    return self.dispatch_request(*args, **kwargs)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/flask_restful/__init__.py", line 595, in dispatch_request
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    resp = meth(*args, **kwargs)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/keystone/api/groups.py", line 59, in get
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    return self._list_groups()
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/keystone/api/groups.py", line 86, in _list_groups
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    hints=hints)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/keystone/common/manager.py", line 116, in wrapped
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    __ret_val = __f(*args, **kwargs)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/keystone/identity/core.py", line 414, in wrapper
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    return f(self, *args, **kwargs)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/keystone/identity/core.py", line 424, in wrapper
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    return f(self, *args, **kwargs)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/keystone/identity/core.py", line 1329, in list_groups
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    ref_list = driver.list_groups(hints)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/keystone/identity/backends/ldap/core.py", line 116, in list_groups
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    return self.group.get_all_filtered(hints)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/keystone/identity/backends/ldap/core.py", line 474, in get_all_filtered
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    for group in self.get_all(query, hints)]
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/keystone/identity/backends/ldap/common.py", line 1647, in get_all
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    for x in self._ldap_get_all(hints, ldap_filter)]
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/keystone/common/driver_hints.py", line 42, in wrapper
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    return f(self, hints, *args, **kwargs)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/keystone/identity/backends/ldap/common.py", line 1600, in _ldap_get_all
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    attrs)
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application  File "/usr/lib/python3.6/site-packages/keystone/identity/backends/ldap/common.py", line 998, in search_s
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application    raise exception.LDAPSizeLimitExceeded()
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application keystone.exception.LDAPSizeLimitExceeded: Number of User/Group entities returned by LDAP exceeded size limit. Contact your LDAP administrator.
2023-05-15 20:18:41.932 36 ERROR keystone.server.flask.application   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230524/1a4a05ed/attachment-0001.htm>


More information about the openstack-discuss mailing list