[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6253) sizelimit is enforced before applying local filters with a translucent overlay

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6253) sizelimit is enforced before applying local filters with a translucent overlay
From: hyc@symas.com
Date: Thu, 13 Aug 2009 17:10:24 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

masarati@aero.polimi.it wrote:
>> If a 'sizelimit' is required in a query to an LDAP server that uses a
>> translucent overlay, and the filter has to be split between a remote
>> filter and
>> a local filter, and the remote filter returns more than 'sizelimit'
>> objects, you
>> will get a 'sizelimit' error even if the local filter would have filtered
>> out
>> enough objects to keep the number of objects under the sizelimit.
>>
>> In my case I have an LDAP holding basic posixAccount information plus a
>> translucent holding Samba information.
>>
>> The following query:
>> % ldapsearch -z 1 -x -s one -b 'ou=Users,dc=hq,dc=eboxhq,dc=com' -H
>> 'ldap://127.0.0.1:1390'
>> '(&(objectClass=posixAccount)(sambaSID=S-1-5-21-3818554400-921237426-3143208535-5004))'
>> uid
>>
>> only matches one object in the LDAP directory, but it will fail because
>> the
>> remote LDAP will return every user and then the 'sizelimit' is immediately
>> enforced before applying the local (sambaSID) filter.
>>
>> The result with -z 1 is:
>> # search result
>> search: 2
>> result: 4 Size limit exceeded
>>
>> # numResponses: 1
>>
>> The result without the -z option is:
>> # bar, Users, hq.eboxhq.com
>> dn: uid=bar,ou=Users,dc=hq,dc=eboxhq,dc=com
>> uid: bar
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> I think the 'sizelimit' should only be applied to the last set of results
>> and
>> not to the number of results in intermediate steps.
>
> This could be partially cured by removing any size limit while propagating
> the request to the remote server.  Please note that, however, this would
> not prevent the remote server from applying administrative size limits
> regardless of what the client is requesting.

And I would probably use the unchecked sizelimit within the overlay as well.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#6247)
Next by Date: Re: (ITS#6190) back-meta tls start only works when set before any target specification
Index(es):
- Chronological
- Thread