Product SiteDocumentation Site

4.4. Understanding Search Limits and Settings

Some searches can result in a large number of entries being returned, possibly even all entries. Search limits improve overall server performance by limiting how long the server spends in a search and how many entries are returned.

4.4.1. Types of Search Limits and Where They Apply

Search limits have a dual purpose to improve server performance by reducing the search load and to improve usability by returning a smaller — and therefore easier to browse — set of entries.
The FreeIPA server has several different limits imposed on searches:
  • The search limit configuration for the FreeIPA server. This is a setting for the FreeIPA server itself, which is applied to all requests sent to the server from all FreeIPA clients, the FreeIPA CLI tools, and the FreeIPA web UI for normal page display.
    By default, this limit is 100 entries.
  • The time limit configuration for the FreeIPA server. Much like the search size limit, the time limit sets a maximum amount of time that the FreeIPA server, itself, waits for searches to run. Once it reaches that limit, the server stops the search and returns whatever entries were returned in that time.
    By default, this limit is two seconds.
  • The page size limit. Although not strictly a search limit, the page size limit does limit how many entries are returned per page. The server returns the set of entries, up to the search limit, and then randomly selects up to 20 entries per page for display. Paging results makes the results more understandable and more viewable.
    This is hard-coded to 20 for all searches.
  • The LDAP search limit (--pkey option). All searches peformed in the UI, and CLI searches which use the --pkey option, override the search limit set in the FreeIPA server configuration and use the search limit set in the underlying LDAP directory.
    By default, this limit is 2000 entries. It can be edited by editing the 389 Directory Server configuration.

4.4.2. Setting FreeIPA Search Limits

Search limits set caps on the number of records returned or the time spent searching when querying the database for user or group entries. There are two types of search limits: time limits and size (number) limits.
With the default settings, users are limited to two-second searches and no more than 100 records returned per search.

IMPORTANT

Setting search size or time limits too high can negatively affect FreeIPA server performance.

4.4.2.1. With the Web UI

  1. Open the IPA Server tab.
  2. Select the Configuration subtab.
  3. Scroll to the Search Options area.
  4. Change the search limit settings.
    • Search size limit, the maximum number of records to return in a search.
    • Search time limit, the maximum amount of time, in seconds, to spend on a search before the server returns results.

    TIP

    Setting the time limit or size limit value to -1 means that there are no limits on searches.
  5. When the changes are complete, click the Update link at the top of the Configuration page.

4.4.2.2. With the Command Line

The search limits can be changed using the config-mod command.
$ ipa config-mod --searchtimelimit=5 --searchrecordslimit=500

  Max. username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain for new users: rhts.eng.bos.redhat.com
  Search time limit: 5
  Search size limit: 50
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=EXAMPLE.COM
  Password Expiration Notification (days): 4

TIP

Setting the time limit or size limit value to -1 means that there are no limits on searches.

4.4.3. Overriding the Search Defaults

Part of the server configuration is setting global defaults for size and time limits on searches. While these limits are always enforced in the web UI, they can be overridden with any *-find command run through the command line.
The --sizelimit and --timelimit options set alternative size and time limits, respectively, for that specific command run. The limits can be higher or lower, depending on the kinds of results you need.
For example, if the default time limit is 60 seconds and a search is going to take longer, the time limit can be increased to 120 seconds:
[jsmith@ipaserver ~]$ ipa user-find *sen --timelimit=120

4.4.4. Setting Search Attributes

A search for users or groups does not automatically search every possible attribute for that attribute. Rather, it searches a specific subset of attributes, and that list is configurable.
When adding attributes to the user or group search fields, make sure that there is a corresponding index within the LDAP directory for that attribute. Searches are performed based on indexes. Most standard LDAP attributes have indexes, but any custom attributes must have indexes created for them. Creating indexes is described in the indexes chapter in the Directory Server Administrator's Guide.

4.4.4.1. Setting User Search Attributes

4.4.4.1.1. From the Web UI
  1. Open the IPA Server tab.
  2. Select the Configuration subtab.
  3. Scroll to the User Options area.
  4. Add any additional search attributes, in a comma-separated list, in the User search fields field.
  5. When the changes are complete, click the Update link at the top of the Configuration page.
4.4.4.1.2. From the Web UI
To change the search attributes, use the --usersearch option to set the attributes for user searches.
$ ipa config-mod --usersearch=uid,givenname,sn,telephonenumber,ou,title

NOTE

Always give the complete list of search attributes. Whatever values are passed with the configuration argument overwrite the previous settings.

4.4.4.2. Setting Group Search Attributes

A search for users or groups does not automatically search every possible attribute for that attribute. Rather, it searches a specific subset of attributes, and that list is configurable.
When adding attributes to the user or group search fields, make sure that there is a corresponding index within the LDAP directory for that attribute. Searches are performed based on indexes. Most standard LDAP attributes have indexes, but any custom attributes must have indexes created for them. Creating indexes is described in the indexes chapter in the Directory Server Administrator's Guide.
4.4.4.2.1. From the Web UI
  1. Open the IPA Server tab.
  2. Select the Configuration subtab.
  3. Scroll to the Group Options area.
  4. Add any additional search attributes, in a comma-separated list, in the Group search fields field.
  5. When the changes are complete, click the Update link at the top of the Configuration page.
4.4.4.2.2. From the Command Line
To change the search attributes, use the --groupsearch options to set the attributes for group searches.
$ ipa config-mod --groupsearch=cn,description

NOTE

Always give the complete list of search attributes. Whatever values are passed with the configuration argument overwrite the previous settings.

4.4.5. Attributes Returned in Search Results

Searches can be performed on attributes that are not displayed in the UI. This means that entries can be returned in a search that do not appear to match the given filter. This is especially common if the search information is very short, which increases the likelihood of a match.