On 21.11.2016 17:08, Standa Laznicka wrote:
On 10/10/2016 08:47 AM, Standa Laznicka wrote:
On 10/10/2016 07:53 AM, Jan Cholasta wrote:
On 7.10.2016 12:23, Standa Laznicka wrote:
On 10/07/2016 08:31 AM, Jan Cholasta wrote:
On 17.8.2016 13:47, Stanislav Laznicka wrote:
On 08/11/2016 02:59 PM, Stanislav Laznicka wrote:
On 08/11/2016 07:49 AM, Jan Cholasta wrote:
On 2.8.2016 13:47, Stanislav Laznicka wrote:
On 07/19/2016 09:20 AM, Jan Cholasta wrote:
On 14.7.2016 14:36, Stanislav Laznicka wrote:
This patch fixes https://fedorahosted.org/freeipa/ticket/5640.
With not so much experience with the framework, it raises
head whether ipaldap.get_entries is used properly throughout the
- does it always assume that it gets ALL the requested
few of those as configured by the 'ipaSearchRecordsLimit'
ipaConfig.etc which it actually gets?
That depends. If you call get_entries() on the ldap2 plugin
usually the case in the framework), then ipaSearchRecordsLimit is
used. If you call it on some arbitrary LDAPClient instance, the
hardcoded default (= unlimited) is used.
One spot that I know the get_entries method was definitely
properly before this patch is in the
692 result = self.backend.get_entries(
696 size_limit=-1, # paged search will get
which to me seems kind of important if the environment
set properly :) The patch does not fix the non-propagation of
Why do you think size_limit is not used properly here?
AFAIU it is desired that the search is unlimited. However, due
fact that neither size_limit nor paged_search are passed from
ldap2.get_entries() to ldap2.find_entries() (methods inherited
LDAPClient), only the number of records specified by
ipaSearchRecordsLimit is returned. That could eventually cause
should ipaSearchRecordsLimit be set to a low value as in the
I see. This is *not* intentional, the **kwargs of get_entries()
should be passed to find_entries(). This definitely needs to be
Anyway, this ticket is not really easily fixable without more
changes. Often, multiple LDAP searches are done during command
execution. What do you do with the size limit then? Do you
same size limit to all the searches? Do you subtract the
from the size limit after each search? Do you do something
it? ... The answer is that it depends on the purpose of each
individual LDAP search (like in get_memberindirect() above, we
do unlimited search, otherwise the resulting entry would be
incomplete), and fixing this accross the whole framework is a
I do realize that the proposed fix for the permission plugin is
perfect, it would probably be better to subtract the number of
loaded records from the sizelimit, although in the end the
returned values will not be higher than the given size_limit.
it seems reasonable that if get_entries is passed a size limit, it
should apply it over current ipaSearchRecordsLimit rather than
it. Then, any use of get_entries could be fixed accordingly if
Right. Anyway, this is a different issue than above, so please put
this into a separate commit.
Please see the attached patches, then.
Self-NACK, with Honza's help I found there was a mistake in the
also found an off-by-one bug which I hope I could stick to the
patches (attaching only the modified and new patches).
Works for me, but this bit in patch 0064 looks suspicious to me:
+ if max_entries > 0 and len(entries) ==
Shouldn't it rather be:
+ if max_entries > 0 and len(entries) >=
The length of entries list should not exceed max_entries if size_limit
is properly implemented. Therefore the list you get from execute()
should not have more then max_entries entries. You shouldn't also be
able to append a legacy entry to entries list if this check is the
thing you do.
That's a lot of shoulds :-) I would expect at least an assert
statement to make sure everything is right.
That being said, >= could be used but then some popping of entries from
entries list would be necessary. But it's perhaps safer to do, although
if there's a bug, it won't be that obvious :)
OK, nevermind then, just add the assert please, to make bugs *very*
An assert seems like a very good idea, attached is an asserting patch.
Attached is the patch rebased on the current master. Renumbered it a bit
as previous numbers could've been confusing so I also omitted the
ACK. Removed a stray **kwargs from find_entries() in patch 0065 (as
agreed with Standa offline) and pushed to master:
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code