Hello,

This patch fixes https://fedorahosted.org/freeipa/ticket/5640.

With not so much experience with the framework, it raises question in my head whether ipaldap.get_entries is used properly throughout the system - does it always assume that it gets ALL the requested entries or just a few of those as configured by the 'ipaSearchRecordsLimit' attribute of ipaConfig.etc which it actually gets?

One spot that I know the get_entries method was definitely not used properly before this patch is in the baseldap.LDAPObject.get_memberindirect() method:

 692             result = self.backend.get_entries(
 693                 self.api.env.basedn,
 694                 filter=filter,
 695                 attrs_list=['member'],
696 size_limit=-1, # paged search will get everything anyway
 697                 paged_search=True)

which to me seems kind of important if the environment size_limit is not set properly :) The patch does not fix the non-propagation of the paged_search, though.

Cheers,
Standa
From f76d301b418219b61a571e12ad7404eaf91a5046 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Thu, 14 Jul 2016 13:53:56 +0200
Subject: [PATCH] Make get_entries() not ignore size_limit argument

The permission_find command would in some cases ignore
the sizelimit parameter passed to it. This was caused
by the ipaldap.get_entries() method not passing one of its
parameters further down.

https://fedorahosted.org/freeipa/ticket/5640
---
 ipapython/ipaldap.py            | 5 +++--
 ipaserver/plugins/permission.py | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 704e71a9471c27430328a8c7c6a319aa72a9d482..74d985e8546ad2553bdac5a61da7df8acb6a0923 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -1283,7 +1283,7 @@ class LDAPClient(object):
         return cls.combine_filters(flts, rules)
 
     def get_entries(self, base_dn, scope=ldap.SCOPE_SUBTREE, filter=None,
-                    attrs_list=None, **kwargs):
+                    attrs_list=None, size_limit=None, **kwargs):
         """Return a list of matching entries.
 
         :raises: errors.LimitsExceeded if the list is truncated by the server
@@ -1298,7 +1298,8 @@ class LDAPClient(object):
         for their description.
         """
         entries, truncated = self.find_entries(
-            base_dn=base_dn, scope=scope, filter=filter, attrs_list=attrs_list)
+            base_dn=base_dn, scope=scope, filter=filter, attrs_list=attrs_list,
+            size_limit=size_limit)
         try:
             self.handle_truncated_result(truncated)
         except errors.LimitsExceeded as e:
diff --git a/ipaserver/plugins/permission.py b/ipaserver/plugins/permission.py
index 830773ae7a09f0197da702e4ec31b0b58f1214dd..e05fc0030c62583e0bcd495c22045274cae14660 100644
--- a/ipaserver/plugins/permission.py
+++ b/ipaserver/plugins/permission.py
@@ -1308,7 +1308,7 @@ class permission_find(baseldap.LDAPSearch):
                 legacy_entries = ldap.get_entries(
                     base_dn=DN(self.obj.container_dn, self.api.env.basedn),
                     filter=ldap.combine_filters(filters, rules=ldap.MATCH_ALL),
-                    attrs_list=attrs_list)
+                    attrs_list=attrs_list, size_limit=max_entries)
                 # Retrieve the root entry (with all legacy ACIs) at once
                 root_entry = ldap.get_entry(DN(api.env.basedn), ['aci'])
             except errors.NotFound:
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to