Changing SCIM LDAP search limit settings
You can change the SCIM LDAP search limits settings in your product.
Following are the SCIM LDAP search limit description and configuration parameters:
-
SCIM_LDAP_SEARCH_SIZE_LIMIT
: It limits the number of entries that can be returned in the SCIM user/group API call. The default value is 4500. There is no limitation for the value, you can set any value based on the number of entries that is expected to return from the LDAP. When the LDAP returns the entries more than its configured value, it displaysSize Limit Exceeded
error.Note: Consider the LDAP maximum page size value while tuning the
SCIM_LDAP_SEARCH_SIZE_LIMIT
parameter. For now, IM SCIM does not fully support the LDAP pagination. -
SCIM_LDAP_SEARCH_TIME_LIMIT
: It limits the maximum wait time for the SCIM users/groups search API call. The default value is 10 seconds and this value is configurable. If the wait time is greater than 10 seconds or the configured value, it displaysTime Limit Exceeded
error. It is a client-side restriction. The LDAP server can also provide a limit on the search time.Note: If the configured value of the
SCIM_LDAP_SEARCH_TIME_LIMIT
is greater than 30 seconds, increase the OpenShift Platform Container route ingress level timeout.It can be adjusted by using the following annotations:
oc annotate route cp-console -n <your-foundational-services-namespace> --overwrite haproxy.router.openshift.io/timeout=60s
Changing the values by using the console
- Log in to the OpenShift Container console as a user with cluster administrator access.
- From the navigation menu, click Workloads > Config Maps.
- Search for
platform-auth-idp
. - Click ... > Edit Config Map.
- Change the following attribute values, as required:
SCIM_LDAP_SEARCH_SIZE_LIMIT
SCIM_LDAP_SEARCH_TIME_LIMIT
- Click Submit.
- From the navigation menu, click Workloads > Deployments.
- Locate
platform-auth-service
. - Click ... > Edit Deployment. A window for editing displays.
- Click Submit without making any change. This step is to reload the
platform-auth-service
pods with the latest ConfigMap values. - Click
platform-auth-service
. - Wait for some time. Then, check the status of the
platform-auth-service
pods in the Pods pane. The status of all the pods must show as4/4
under the Ready field name.