[email protected] wrote: >> If a 'sizelimit' is required in a query to an LDAP server that uses a >> translucent overlay, and the filter has to be split between a remote >> filter and >> a local filter, and the remote filter returns more than 'sizelimit' >> objects, you >> will get a 'sizelimit' error even if the local filter would have filtered >> out >> enough objects to keep the number of objects under the sizelimit. >> >> In my case I have an LDAP holding basic posixAccount information plus a >> translucent holding Samba information. >> >> The following query: >> % ldapsearch -z 1 -x -s one -b 'ou=Users,dc=hq,dc=eboxhq,dc=com' -H >> 'ldap://127.0.0.1:1390' >> '(&(objectClass=posixAccount)(sambaSID=S-1-5-21-3818554400-921237426-3143208535-5004))' >> uid >> >> only matches one object in the LDAP directory, but it will fail because >> the >> remote LDAP will return every user and then the 'sizelimit' is immediately >> enforced before applying the local (sambaSID) filter. >> >> The result with -z 1 is: >> # search result >> search: 2 >> result: 4 Size limit exceeded >> >> # numResponses: 1 >> >> The result without the -z option is: >> # bar, Users, hq.eboxhq.com >> dn: uid=bar,ou=Users,dc=hq,dc=eboxhq,dc=com >> uid: bar >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> I think the 'sizelimit' should only be applied to the last set of results >> and >> not to the number of results in intermediate steps. > > This could be partially cured by removing any size limit while propagating > the request to the remote server. Please note that, however, this would > not prevent the remote server from applying administrative size limits > regardless of what the client is requesting.
And I would probably use the unchecked sizelimit within the overlay as well. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
