[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Setting limits on an ou, only
--On Wednesday, August 30, 2006 8:44 PM -0700 Atom Powers
<apowers@digipen.edu> wrote:
It is possible to set limits on an ou that are different from the default
limits?
I would like to set default limit of 1 entry returned, but I have an
application that needs to be able to get all data in my ou=people.
Yes, it is possible. Have you read the slapd.conf man page?
<http://www.openldap.org/software/man.cgi?query=slapd.conf&apropos=0&sektion=0&manpath=OpenLDAP+2.3-Release&format=html>
limits <who> <limit> [<limit> [...]]
Specify time and size limits based on who initiated an
operation. The argument who can be any of
anonymous | users | [dn[.<style>]=]<pattern> |
group[/oc[/at]]=<pattern>
with
<style> ::= exact | base | onelevel | subtree | children
| regex | anonymous
The term anonymous matches all unauthenticated clients. The
term users matches all authenticated clients; otherwise an exact
dn pattern is assumed unless otherwise specified by qualifying
the (optional) key string dn with exact or base (which are
synonyms), to require an exact match; with onelevel, to require
exactly one level of depth match; with subtree, to allow any
level of depth match, including the exact match; with children,
to allow any level of depth match, not including the exact
match; regex explicitly requires the (default) match based on
POSIX (''extended'') regular expression pattern. Finally,
anonymous matches unbound operations; the pattern field is
ignored. The same behavior is obtained by using the anonymous
form of the who clause. The term group, with the optional
objectClass oc and attributeType at fields, followed by pattern,
sets the limits for any DN listed in the values of the at
attribute (default member) of the oc group objectClass (default
groupOfNames) whose DN exactly matches pattern.
The currently supported limits are size and time.
The syntax for time limits is time[.{soft|hard}]=<integer>,
where integer is the number of seconds slapd will spend
answering a search request. If no time limit is explicitly
requested by the client, the soft limit is used; if the
requested time limit exceeds the hard limit, the value of the
limit is used instead. If the hard limit is set to the keyword
soft, the soft limit is used in either case; if it is set to the
keyword unlimited, no hard limit is enforced. Explicit requests
for time limits smaller or equal to the hard limit are honored.
If no limit specifier is set, the value is assigned to the soft
limit, and the hard limit is set to soft, to preserve the
original behavior.
The syntax for size limits is
size[.{soft|hard|unchecked}]=<integer>, where integer is the
maximum number of entries slapd will return answering a search
request. If no size limit is explicitly requested by the
client, the soft limit is used; if the requested size limit
exceeds the hard limit, the value of the limit is used instead.
If the hard limit is set to the keyword soft, the soft limit is
used in either case; if it is set to the keyword unlimited, no
hard limit is enforced. Explicit requests for size limits
smaller or equal to the hard limit are honored. The unchecked
specifier sets a limit on the number of candidates a search
request is allowed to examine. The rationale behind it is that
searches for non-properly indicized attributes may result in
large sets of candidates, which must be examined by slapd(8) to
determine whether they match the search filter or not. The
unckeched limit provides a means to drop such operations before
they are even started. If the selected candidates exceed the
unchecked limit, the search will abort with Unwilling to
perform. If it is set to the keyword unlimited, no limit is
applied (the default). If it is set to disable, the search is
not even performed; this can be used to disallow searches for a
specific set of users. If no limit specifier is set, the value
is assigned to the soft limit, and the hard limit is set to
soft, to preserve the original behavior.
In case of no match, the global limits are used. The default
values are the same of sizelimit and timelimit; no limit is set
on unchecked.
If pagedResults control is requested, the hard size limit is
used by default, because the request of a specific page size is
considered an explicit request for a limitation on the number of
entries to be returned. However, the size limit applies to the
total count of entries returned within the search, and not to a
single page. Additional size limits may be enforced; the syntax
is size.pr={<integer>|noEstimate|unlimited}, where integer is
the max page size if no explicit limit is set; the keyword
noEstimate inhibits the server from returning an estimate of the
total number of entries that might be returned (note: the
current implementation does not return any estimate). The
keyword unlimited indicates that no limit is applied to the
pagedResults control page size. The syntax
size.prtotal={<integer>|unlimited|disabled} allows to set a
limit on the total number of entries that a pagedResults control
allows to return. By default it is set to the hard limit. When
set, integer is the max number of entries that the whole search
with pagedResults control can return. Use unlimited to allow
unlimited number of entries to be returned, e.g. to allow the
use of the pagedResults control as a means to circumvent size
limitations on regular searches; the keyword disabled disables
the control, i.e. no paged results can be returned. Note that
the total number of entries returned when the pagedResults
control is requested cannot exceed the hard size limit of
regular searches unless extended by the prtotal switch.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html