If a 'sizelimit' is required in a query to an LDAP server that uses a translucent overlay, and the filter has to be split between a remote filter and a local filter, and the remote filter returns more than 'sizelimit' objects, you will get a 'sizelimit' error even if the local filter would have filtered out enough objects to keep the number of objects under the sizelimit.
In my case I have an LDAP holding basic posixAccount information plus a translucent holding Samba information.
The following query: % ldapsearch -z 1 -x -s one -b 'ou=Users,dc=hq,dc=eboxhq,dc=com' -H 'ldap://127.0.0.1:1390' '(&(objectClass=posixAccount)(sambaSID=S-1-5-21-3818554400-921237426-3143208535-5004))' uid
only matches one object in the LDAP directory, but it will fail because the remote LDAP will return every user and then the 'sizelimit' is immediately enforced before applying the local (sambaSID) filter.
The result with -z 1 is: # search result search: 2 result: 4 Size limit exceeded
# numResponses: 1
The result without the -z option is: # bar, Users, hq.eboxhq.com dn: uid=bar,ou=Users,dc=hq,dc=eboxhq,dc=com uid: bar
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
I think the 'sizelimit' should only be applied to the last set of results and not to the number of results in intermediate steps.
This could be partially cured by removing any size limit while propagating the request to the remote server. Please note that, however, this would not prevent the remote server from applying administrative size limits regardless of what the client is requesting.
p.