Add a check recommending to increase nsslapd-sizelimit for pkidbuser or globally

[abbra]

When there are many exiting certificate requests in IPA CA, adding new replica might fail if the total amount of those certificate requests is higher than the size limit set for pkidbuser account. It might be the global size limit or might be per-account one.

Add a check that would recommend admins to bump size limits for pkidbuser account.

Example issues: dogtagpki/pki#5133 and freeipa/freeipa-container#680

When ipa-replica-install is run, 389-ds defaults will be applied to the global search size limit (2000?). This means that if CA is being installed, pkidbuser that CA is using to bind to LDAP will inherit default search size limit. Anything in the searches it does might be larger than the limit and will cause administrative rejection of the search. As a result, replica installation will fail.

The solution is to figure out what failed. For example, in the first referenced ticket the issue is the total number of requests in ou=ca,ou=requests,o=ipaca (pki does a search for any requestState). If more than 2000 records were there by the time new replica installation, the default size limit in DS will affect the result.

[25/Jun/2025:07:57:19.226360161 +0000] conn=8 TLS1.3 128-bit AES-GCM; client CN=CA Subsystem,O=FEDORAPROJECT.ORG; issuer CN=Certificate Authority,O=FEDORAPROJECT.ORG
[25/Jun/2025:07:57:19.227472387 +0000] conn=8 TLS1.3 client bound as uid=pkidbuser,ou=people,o=ipaca
[25/Jun/2025:07:57:19.227548078 +0000] conn=8 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
[25/Jun/2025:07:57:19.228326323 +0000] conn=8 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.009276398 optime=0.000780005 etime=0.010056092 dn="uid=pkidbuser,ou=people,o=ipaca"
[25/Jun/2025:07:57:19.236009090 +0000] conn=5 op=6 SRCH base="ou=ca,ou=requests,o=ipaca" scope=1 filter="(&(requestState=approved)(requestId=*))" attrs=ALL
[25/Jun/2025:07:57:19.236413342 +0000] conn=5 op=6 RESULT err=0 tag=101 nentries=0 wtime=0.000197131 optime=0.000407302 etime=0.000602483
[25/Jun/2025:07:57:19.245428037 +0000] conn=5 op=7 SRCH base="ou=ca,ou=requests,o=ipaca" scope=1 filter="(&(requestId<=09149960000)(requestState=*))" attrs=ALL
[25/Jun/2025:07:57:19.255495659 +0000] conn=5 op=7 SORT -requestId (11475)
[25/Jun/2025:07:57:19.255577478 +0000] conn=5 op=7 RESULT err=11 tag=101 nentries=0 wtime=0.000138330 optime=0.010151001 etime=0.010287462 notes=P details="Paged Search" pr_idx=1 pr_cookie=-1
[25/Jun/2025:07:57:19.257259470 +0000] conn=8 op=1 UNBIND

The solution:

• add nsslapd-sizelimit via --dirsrv-config-file when installing a replica. This will affect default limits on the new replica at install time.
• add nsSizeLimit to pkidbuser account on a master prior to installing the replica. This will affect all pkidbuser binds.

[abbra]

Increasing size limit for the pkidbuser can be done with dsidm:

# dsidm -b o=ipaca INSTANCE-NAME account modify-by-dn uid=pkidbuser,ou=people,o=ipaca add:nsSizeLimit:2000000

[abbra]

One more to change is nsPagedSizeLimit. It is set by PKI to 20000 since ~2023. However, there are issues in older installations where it is not set for pkidbuser at all.

So the check needs to look if explicit limits are set for pkidbuser and if not, recommend setting them.