coudot
commented
1 year ago Seems the issue is in the scripting engine (ldap.search())
Open asouppart opened 3 years ago
coudot
commented
1 year ago Seems the issue is in the scripting engine (ldap.search())
coudot
commented
2 months ago @soisik @davidcoutadeur @rouazana we would like a review on #299
coudot
commented
2 months ago Global OpenLDAP setting to get a soft limit of 100 entries and hard limit unlimited:
dn: cn=cconfig
olcSizeLimit: size.soft=100 size.hard=unlimitedWe can test the pagedResult control with ldapsearch like this:
ldapsearch -x -H ldap://localhost -D uid=coudot,ou=users,dc=example,dc=com -w secret -b dc=example,dc=com -E pr=100/noprompt
davidcoutadeur
commented
1 month ago I have reviewed part of the code, and done some tests about this issue.
Here is the status:
If the LDAP client adds the pagedResultsControl to the search operation, the hard size limit is used by default, because the request for a specific page size is considered an explicit request for a limitation on the number of entries to be returned. However, the size limit applies to the total count of entries returned within the search, and not to a single page.
Additional size limits may be enforced for paged searches.we must check that the AD limitation can also be bypassed by the paged control.
when running LSC with a paged search of 3 entries, and OpenLDAP configured with: olcLimits: {1}group/groupOfNames/member="cn=adminlimit,ou=groups,dc=my-domain,dc=com" size.soft=3 size.hard=unlimited time=unlimited, LSC can indeed get all entries (5 entries) when doing a srcLdap.search, but I get some errors, maybe not linked to this issue:
sept. 25 18:50:38 - ERROR - Error while modifying entry uid=test,ou=people2,dc=my-domain,dc=com in directory :javax.naming.OperationNotSupportedException: [LDAP: error code 12 - critical extension is unavailable]; remaining name 'uid=test,ou=people2'
sept. 25 18:50:38 - ERROR - Error while synchronizing ID uid=test,ou=people2,dc=my-domain,dc=com: java.lang.Exception: Technical problem while applying modifications to the destinationat OpenLDAP side:
2024-09-25T18:50:38.249275+02:00 parmenide slapd[47974]: conn=1009 op=6 RESULT tag=103 err=12 qtime=0.000008 etime=0.000034 text=critical extension is unavailable
2024-09-25T18:50:38.249364+02:00 parmenide slapd[47974]: conn=1009 op=6 do_modify: get_ctrls failedextensions sent seem to be managed by OpenLDAP : 1.2.840.113556.1.4.319 and 2.16.840.1.113730.3.4.2 Need more investigation about this.
davidcoutadeur
commented
1 month ago Finally I found what was wrong about the errors I previously mentioned.
The problem is the paged control is applied also to the modification, which is not permitted by the protocol. Paged control must be applied only to search requests.
The number of elements returned by the search method is limited by MaxPageSize configuration of the ldap server. Even if the PageSize configuration is populated with a positive number.