Fedora directory users - Dec 2006 - User is locked out- ERR 3 LDAP TIMELIMIT EXCEEDED

I have a check script running on 2 server. One of them is failing. The
logs are stating this:

RESULT err=3 tag=101 nentries=0 etime=0

Why?

How can I fix this?

TIA,
Dave

Dave Augustus wrote:
> I have a check script running on 2 server. One of them is failing. The
> logs are stating this:
>
> RESULT err=3 tag=101 nentries=0 etime=0
>
> Why?
>   
(server-enforced?) time limit is being exceeded (err=3)
> How can I fix this?
>   
You don''t provide enough info to understand why the server is going
into
timelimit without returning a single entry and with what appears to be 
zero elapsed time (etime=0).

p.

Sorry! (Let me get my head out of the sand)

I use a check script called ldap.monitor. It comes with mon, a
monitoring package written in perl.

The script just binds and checks that a certain attribute exists and is
a certain value. Here is an example:

monitor ldap.monitor \
     --username "uid=mscript,ou=Special Users,dc=hq,dc=org" \
     --password "12345678" \
     --basedn "uid=mscript,ou=Special Users,dc=hq,dc=org" \
     --filter "uid=*" \
     --attribute "uid" \
     --value "mscript" \
     192.168.16.10

I use this on BOTH of my servers. The other day I attempted to delete
alot of objects (>10,000) as the admin user from my ou=people leaf and
then my admin account was locked out with this SAME error.

Then my script started failing. I ended up having to login as Directory
Manager to complete the deletion. 

So my script now fails and neither my admin account (admin) nor my
script account(mscript) can login successfully.

The log entries are the same:

"RESULT err=3 tag=101 nentries=0 etime=0"

All that is happening is that the script is checking to see if an
attribute is the right value. The script cant login and therefore fails
the *check*.

I have restarted the server several times.

Thanks for your time,

Dave

On Thu, 2006-12-14 at 23:54 +0100, Pierangelo Masarati
wrote:
> Dave Augustus wrote:
> > I have a check script running on 2 server. One of them is failing. The
> > logs are stating this:
> >
> > RESULT err=3 tag=101 nentries=0 etime=0
> >
> > Why?
> >   
> (server-enforced?) time limit is being exceeded (err=3)
> > How can I fix this?
> >   
> You don''t provide enough info to understand why the server is
going into
> timelimit without returning a single entry and with what appears to be 
> zero elapsed time (etime=0).
> 
> p.
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Dave Augustus wrote:
> Sorry! (Let me get my head out of the sand)
>
> I use a check script called ldap.monitor. It comes with mon, a
> monitoring package written in perl.
>
> The script just binds and checks that a certain attribute exists and is
> a certain value. Here is an example:
>
> monitor ldap.monitor \
>      --username "uid=mscript,ou=Special Users,dc=hq,dc=org" \
>      --password "12345678" \
>      --basedn "uid=mscript,ou=Special Users,dc=hq,dc=org" \
>      --filter "uid=*" \
>   
This seems bad to use this filter if the search is using scope SUBTREE.  
It doesn''t appear to be the case here, but you might want to check and 
make sure.
>      --attribute "uid" \
>      --value "mscript" \
>      192.168.16.10
>
> I use this on BOTH of my servers. The other day I attempted to delete
> alot of objects (>10,000) as the admin user from my ou=people leaf and
> then my admin account was locked out with this SAME error.
>
> Then my script started failing. I ended up having to login as Directory
> Manager to complete the deletion. 
>
> So my script now fails and neither my admin account (admin) nor my
> script account(mscript) can login successfully.
>
> The log entries are the same:
>
> "RESULT err=3 tag=101 nentries=0 etime=0"
>
> All that is happening is that the script is checking to see if an
> attribute is the right value. The script cant login and therefore fails
> the *check*.
>
> I have restarted the server several times.
>   
If the script is really just doing a BASE level search, I don''t see how
this can happen.

You can raise the search limits on a per user/role basis - see 
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1085603
> Thanks for your time,
>
> Dave
>
> On Thu, 2006-12-14 at 23:54 +0100, Pierangelo Masarati wrote:
>   
>> Dave Augustus wrote:
>>     
>>> I have a check script running on 2 server. One of them is failing.
The
>>> logs are stating this:
>>>
>>> RESULT err=3 tag=101 nentries=0 etime=0
>>>
>>> Why?
>>>   
>>>       
>> (server-enforced?) time limit is being exceeded (err=3)
>>     
>>> How can I fix this?
>>>   
>>>       
>> You don''t provide enough info to understand why the server is
going into
>> timelimit without returning a single entry and with what appears to be 
>> zero elapsed time (etime=0).
>>
>> p.
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>     
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Thanks, I added an attribute, "nstimelimit=-1" to the user, mscript
and
all is well.

However, I did it from another server that it is setup with in a MM
configuration. The replication occurred and the lockout stopped.

Some background:
This script does checks every 30 seconds. Having this occur so often is
necessary because this DS is behind a load balancer and the results of
the script update the load balancer with it status. If the script fails,
the server is taken out of the load balancer. 

Another Question:
This got me to think about applying this attribute at the OU level,
instead of on each UID. Will that apply to ALL users in that OU ?

Thanks,
Dave