Increase default limit on LDAP searches to 100k

A similar change was attempted years ago in commit
9724251292 but it was
never applied because it used the wrong DN and because
nsslapd-timelimit is already present in the entry
the default keyword won't trigger.

Use replace instead to increase the value to 100k from
the default as originally intended.

nsslapd-sizelimit can be changed only with a MOD_REPLACE
otherwise a LDAP_NO_SUCH_ATTRIBUTE error is thrown. IPA
only uses MOD_REPLACE for single-value attributes but
nsslapd-sizelimit is not yet in schema. Add it to
the known set of exceptions for single-value attributes.

https://pagure.io/freeipa/issue/8962

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

install/updates/10-config.update

@@ -16,7 +16,7 @@ only: nsslapd-pluginPrecedence: 60
 # Set limits to suite better IPA deployment sizes, defaults are too
 # conservative
 dn: cn=config
-default: nsslapd-sizelimit:100000
+replace: nsslapd-sizelimit:2000::100000
 
 dn: cn=config,cn=ldbm database,cn=plugins,cn=config
 replace: nsslapd-lookthroughlimit:5000::100000

ipapython/ipaldap.py

@@ -765,6 +765,7 @@ class LDAPClient:
         'nsslapd-logging-hr-timestamps-enabled': True,
         'nsslapd-ldapientrysearchbase': True,
         'nsslapd-ldapidnmappingbase': True,
+        'nsslapd-sizelimit': True,
     })
 
     time_limit = -1.0   # unlimited