It is the as-designed behavior. But you're right, the design is broken here. Currently all sizelimit checking is done in the individual backends, while the search ACLs are checked in the frontend. Checking in the backends means there's a lot of redundant code; it should all be moved into the frontend.I'm sorry if this has already been discussed, but I can't seem to find such a thread in the archives...
With OL 2.2.29 it looks to me like the sizelimit specified by a client search is evaluated after the ACLs on the server side, so that if a client specifies a sizelimit of 10 and receives 8 results, it may be obvious that 2 entries matched the filter but failed the ACL check, disclosing perhaps more information than the directory maintainers would like.
Is this expected/intended behavior?
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/