CA Server fails to restart after upgrade due to version using PagedList search fails due to LDAP limits #5171
Description
Abstract
CA Server fails to restart after an upgrade from version prior to using PagedList search.
The root cause of the failure is the LDAP rejecting a server-side sorting request with an error 53 LDAP Unwilling to perform. This occurs when the total number of records provided in the search exceeds the nsslapd-idlistscanlimit
Conditions to restart after upgrade:
- Total number of issued certificates is greater than the current
nsslapd-idlistscanlimit - Server migrated or upgrade from an older version which used VLV searching instead of PagedList
- (unvalidated) may require having a CA Clone
Troubleshooting
The CA error identifies an LDAP error 53 on a search of ou=certificateRepository,ou=ca,<basedn> in the debug.log
Performing a search on a test server with nsslapd-idlistscanlimit configured to 100, and greater than 100 certificates issues we get the following:
$ ldapsearch -W -H ldaps://pki.example.com:636 -D "cn=Directory Manager" -b "ou=certificateRepository,ou=ca,o=root-ca-1-CA" * serialno
...
# search result
search: 2
result: 0 Success
# numResponses: 122
# numEntries: 121
When performing the same search using Server-Side Sorting, a chain request included in the PagedList search under the new CA, we get:
ldapsearch -W -H ldaps://pki.example.com:636 -D "cn=Directory Manager" -b "ou=certificateRepository,ou=ca,o=root-ca-1-CA" -E sss=serialno: * serialno
...
# search result
search: 2
result: 0 Success
control: 1.2.840.113556.1.4.474 false MIQAAAADCgE1
sortResult: (53) Server is unwilling to perform
# numResponses: 122
# numEntries: 121
This error results in the CA being unwilling to start.
Workaround
NOTE: Newer version of DS389 set the default of nsslapd-idlistscanlimit as 2147483646 which prevents this issue from appearing.
Updating the nsslapd-idlistscanlimit on the directory server to any number greater than the current number of certificates appears to resolve the issue.
Additionally it has been considered that nsslapd-rangelookthroughlimit and nsslapd-lookthroughlimit may affect this as well, however that has not been shown to be the case.