[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6253) sizelimit is enforced before applying local filters with a translucent overlay



Full_Name: Isaac Clerencia
Version: 2.4.15
OS: Ubuntu
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (87.198.40.13)


If a 'sizelimit' is required in a query to an LDAP server that uses a
translucent overlay, and the filter has to be split between a remote filter and
a local filter, and the remote filter returns more than 'sizelimit' objects, you
will get a 'sizelimit' error even if the local filter would have filtered out
enough objects to keep the number of objects under the sizelimit.

In my case I have an LDAP holding basic posixAccount information plus a
translucent holding Samba information.

The following query:
% ldapsearch -z 1 -x -s one -b 'ou=Users,dc=hq,dc=eboxhq,dc=com' -H
'ldap://127.0.0.1:1390'
'(&(objectClass=posixAccount)(sambaSID=S-1-5-21-3818554400-921237426-3143208535-5004))'
uid

only matches one object in the LDAP directory, but it will fail because the
remote LDAP will return every user and then the 'sizelimit' is immediately
enforced before applying the local (sambaSID) filter.

The result with -z 1 is:
# search result
search: 2
result: 4 Size limit exceeded

# numResponses: 1

The result without the -z option is:
# bar, Users, hq.eboxhq.com
dn: uid=bar,ou=Users,dc=hq,dc=eboxhq,dc=com
uid: bar

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I think the 'sizelimit' should only be applied to the last set of results and
not to the number of results in intermediate steps.