>Synopsis: ldapd incorrectly reports a search size limit error
>Category: system
>Environment:
System : OpenBSD 5.4
Details : OpenBSD 5.4-stable (GENERIC.MP) #0: Fri Nov 15 21:34:18
EST 2013
[email protected]:/usr/src/sys/arch/i386/compile/GENERIC.MP
Architecture: OpenBSD.i386
Machine : i386
>Description:
When performing a search with a size limit, if the number of matches
is equal to the size limit an error is reported. This does not seem
like the correct behavior.
This was discovered while trying to get saslauthd from cyrus-sasl2
to authenticate against ldapd instead of the openldap server.
saslauthd explicitly requests a unique match when authenticating a user.
>How-To-Repeat:
Perform a search with a size limit. One way to achieve this is to
use ldapsearch from the openldap-client package which has the
-z option to request such a limit.
Performing a search with -z 1 when there is a unique match produces
a status of
result: 4 Size limit exceeded.
In other words:
ldapsearch -z 1 [stuff to connect to server/bind/etc] '(uid=craig)'
which is unique in the database, produces this status.
(The search results are correctly printed, presumably because
ldapsearch ignores the error, saslauthd does NOT and thus claims
a failed authentication when it shouldn't).
>Fix:
The following trivial patch fixes it for me:
Index: search.c
===================================================================
RCS file: /cvs/src/usr.sbin/ldapd/search.c,v
retrieving revision 1.14
diff -u -p -r1.14 search.c
--- search.c 10 Nov 2010 08:00:54 -0000 1.14
+++ search.c 4 Jun 2014 01:57:09 -0000
@@ -437,7 +437,7 @@ conn_search(struct search *search)
/* Check if we have passed the size limit. */
if (rc == BT_SUCCESS && search->szlim > 0 &&
- search->nmatched >= search->szlim) {
+ search->nmatched > search->szlim) {
log_debug("search %d/%lld has reached size limit (%u)",
search->conn->fd, search->req->msgid,
search->szlim);
