Proxmox LDAP Sync - Hard Limit on number of users?

victorhooi

Member
Apr 3, 2018
249
18
23
35
Hi,

Does anybody know if there's a hard limit on the number of users that the LDAP sync in Proxmox can do? Or is the below a bug?

I have a Proxmox 6.4 cluster, and I'm trying to an LDAP sync as follows:

Code:
pveum realm sync "anguslab.io"  --full --purge --scope both
However, after running through the list of users, it then gives an error message:
Code:
Warning: unable to close filehandle GEN3 properly: File too large at /usr/share/perl5/PVE/Tools.pm line 248.
syncing users and groups failed: unable to write '/etc/pve/user.cfg.tmp.238030' - File too large
I checked, and there isn't a file /etc/pve/user.cfg.tmp/238030, so I assume it got cleaned up.

I'm not super familiar with Perl file handling - is this a language limit, or something in our code?

Thanks,
Victor
 

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
8,062
991
163
34
Vienna
we have a 512kbyte file limit on the pmxcfs, so assuming ~80 bytes per user (minus a bit overhead) it's about 6500 users..
 

victorhooi

Member
Apr 3, 2018
249
18
23
35
Hmm, what happens beyond that point?

Or is there any way to increase this limit in pmxcfs?

(I think we probably have around 5000-ish users - it's possible the overhead, or metadata per user that's boosting it up - but we are close).
 

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
8,062
991
163
34
Vienna
Are there any workarounds we can use, to get a larger user.cfg file?
no and i would not recommend letting the file get that big... do you really have 5000 users that need to login to your pve ?
 

victorhooi

Member
Apr 3, 2018
249
18
23
35
It's probably around 4000-4500 - it's used as an internal lab for experimenting with VMs.

It's a four-node cluster, each node has around 2TB of memory, and 128 cores, so we can get some decent utilisation.

Obviously it won't be concurrent usage from all the users at once, but a portion of them at each time, and all of them need the ability to login. (They're also geographically dispersed, so timezone wise, it would be different cohorts at different times normally).

Can you think of any way to make Proxmox work for this use case?
 

victorhooi

Member
Apr 3, 2018
249
18
23
35

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
8,062
991
163
34
Vienna
i mean simply upping the limit could work (for now) but maybe later you run into that limit again...

i don't know what your users need, but maybe an external api client with it's own user auth system would make sense?
so that it relays api calls to only some 'actual' user accounts on pve?

another alternative would be ofc to have multiple clusters for different groups of people...
 

victorhooi

Member
Apr 3, 2018
249
18
23
35
Aha, this is maybe another of those "640K ought to be enough for anybody" moments ;). (Possibly an apocryphal quote).

For our specific use case, I'm very confident that boosting it to 1MB would resolve our issue. (Assuming it scales linearly).

We were around 3000 users before, we added another 1000 or so, and that should be our upper limit for the foreseeable future.

These users are store in a Google Workspace domain, which we then sync to Proxmox.

All the users share the same VMs/templates/configurations, so it makes sense to have a single cluster. (That, and we only physically have one cluster with 4 nodes). You can basically think of it like follow-the-sun support teams, only a subset of them will be on at any point in time, but they all need ability to logon in their timezone.

I was looking with interest at some efforts to get SAMLv2 or OpenID Connect support in Proxmox - but not sure if that would hit the same issue as well? (Since it seems the way Proxmox is setup, you need the users defined in both the local user.cfg file, as well as the external IdP).

How hard would it be increase the limit to 1MB? Is it just a case of editing "#define MEMDB_MAX_FILE_SIZE" in memdb.h, or is there more to it? Would you need to edit Tools.pm as well, for the reader? (Sorry if this is an obvious question).

(I'm assuming making the limit a runtime configurable option would be too tricky).
 

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
8,062
991
163
34
Vienna
I was looking with interest at some efforts to get SAMLv2 or OpenID Connect support in Proxmox - but not sure if that would hit the same issue as well? (Since it seems the way Proxmox is setup, you need the users defined in both the local user.cfg file, as well as the external IdP).
there is works on openid connect realm, but yes you're right, the users would have to be in pve as well since the acls always references the users defined in the user.cfg
How hard would it be increase the limit to 1MB? Is it just a case of editing "#define MEMDB_MAX_FILE_SIZE" in memdb.h, or is there more to it? Would you need to edit Tools.pm as well, for the reader? (Sorry if this is an obvious question).
my guess is that increasing this variable + the one occurrance in pve-common: src/PVE/Tools.pm in the sub 'safe_read_from' should be enough

but there may be other places that use that limit

could you maybe open a feature request for increasing the limit, so that we can discuss and track that there?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!