[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6253) sizelimit is enforced before applying local filters with a translucent overlay

> If a 'sizelimit' is required in a query to an LDAP server that uses a
> translucent overlay, and the filter has to be split between a remote
> filter and
> a local filter, and the remote filter returns more than 'sizelimit'
> objects, you
> will get a 'sizelimit' error even if the local filter would have filtered
> out
> enough objects to keep the number of objects under the sizelimit.
> In my case I have an LDAP holding basic posixAccount information plus a
> translucent holding Samba information.
> The following query:
> % ldapsearch -z 1 -x -s one -b 'ou=Users,dc=hq,dc=eboxhq,dc=com' -H
> 'ldap://'
> '(&(objectClass=posixAccount)(sambaSID=S-1-5-21-3818554400-921237426-3143208535-5004))'
> uid
> only matches one object in the LDAP directory, but it will fail because
> the
> remote LDAP will return every user and then the 'sizelimit' is immediately
> enforced before applying the local (sambaSID) filter.
> The result with -z 1 is:
> # search result
> search: 2
> result: 4 Size limit exceeded
> # numResponses: 1
> The result without the -z option is:
> # bar, Users, hq.eboxhq.com
> dn: uid=bar,ou=Users,dc=hq,dc=eboxhq,dc=com
> uid: bar
> # search result
> search: 2
> result: 0 Success
> # numResponses: 2
> # numEntries: 1
> I think the 'sizelimit' should only be applied to the last set of results
> and
> not to the number of results in intermediate steps.

This could be partially cured by removing any size limit while propagating
the request to the remote server.  Please note that, however, this would
not prevent the remote server from applying administrative size limits
regardless of what the client is requesting.