Hi all,

 

We encounter a problem using server-side sort and virtual list view controls in our search requests. After sending one search requests the slapd remains busy until it is restarted:

 

Executing the command

 

/home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p 9389 -D cn=openldapadmin -w welcome -b o=CustomerCA,c=de -s children -E!sss=sncertnr -E!vlv="0/0/1/0" "objectclass=*"

 

Generates the following output:

 

# extended LDIF

#

# LDAPv3

# base <o=CustomerCA,c=de> with scope children

# filter: objectclass=*

# requesting: sncertnr

# with server side sorting critical control

# with virtual list view critical control: 0/0/1/0

#

 

# R\C3\BCger OttoSER:9000, testsuite, CustomerCA, de

dn:: Y249UsO8Z2VyIE90dG9TRVI6OTAwMCxvdT10ZXN0c3VpdGUsbz1DdXN0b21lckNBLGM9ZGU=

SNcertNr: 9000

 

# search result

search: 2

result: 0 Success

control: 1.2.840.113556.1.4.474 false MAMKAQA=

sortResult: (0) Success

control: 2.16.840.1.113730.3.4.10 false MA8CAQECAQsCAQAEBJB4LAg=

vlvResult: pos=1 count=11 context=kHgsCA== (0) Success

 

# numResponses: 2

# numEntries: 1

Press [before/after(/offset/count|:value)] Enter for the next window.

 

# extended LDIF

#

# LDAPv3

# base <o=CustomerCA,c=de> with scope children

# filter: objectclass=*

# requesting: sncertnr

# with server side sorting critical control

# with virtual list view critical control: 0/0/1/11

#

 

# search result

search: 3

result: 4 Size limit exceeded

 

# numResponses: 1

 

Why is the size limit exceeded here?

Executing the same command once more produces the following output:

 

# extended LDIF

#

# LDAPv3

# base <o=CustomerCA,c=de> with scope children

# filter: objectclass=*

# requesting: sncertnr

# with server side sorting critical control

# with virtual list view critical control: 0/0/1/0

#

 

# search result

search: 2

result: 51 Server is busy

text: Other sort requests already in progress

 

# numResponses: 1

 

Now slapd doesn’t accept sssvlv requests anymore, it has to be restarted.

 

Here is the content of slapd.conf:

 

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /home/openldap/openldap-2.4.21-install/etc/openldap/schema/core.schema

include         /home/openldap/openldap-2.4.21-install/etc/openldap/schema/isis_mtt_extensions.schema

include         /home/openldap/openldap-2.4.21-install/etc/openldap/schema/secunet_isis_mtt_extensions.schema

 

# Define global ACLs to disable default read access.

 

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

 

pidfile         /home/openldap/openldap-2.4.21-install/var/run/slapd.pid

argsfile        /home/openldap/openldap-2.4.21-install/var/run/slapd.args

 

# Load dynamic backend modules:

modulepath      /home/openldap/openldap-2.4.21-install/libexec/openldap

# modulepath    /usr/local/libexec/openldap

moduleload      back_bdb.la

# moduleload    back_hdb.la

# moduleload    back_ldap.la

# moduleload    /home/openldap/openldap-2.4.21-install/libexec/openldap/compmatch

# moduleload    /home/openldap/openldap-2.4.21-install/libexec/openldap/compmatch.la

#  moduleload   compmatch.la

 

# overlay server-side-sorting + virtual list view:

overlay sssvlv

# Sets the  maximum  number  of  concurrent  sort requests allowed

# across all connections; the default is one half of the number of

# server threads:

sssvlv-max 8

# Sets the  maximum  number of keys allowed in a sort request; the

# default is 5:

sssvlv-maxkeys 5

 

# Sample security restrictions

#       Require integrity protection (prevent hijacking)

#       Require 112-bit (3DES or better) encryption for updates

#       Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

 

# Sample access control policy:

#       Root DSE: allow anyone to read it

#       Subschema (sub)entry DSE: allow anyone to read it

#       Other DSEs:

#               Allow self write access

#               Allow authenticated users read access

#               Allow anonymous users to authenticate

#       Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

#       by self write

#       by users read

#       by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

 

#######################################################################

# BDB database definitions

#######################################################################

 

database        bdb

suffix          ""

rootdn          "cn=openldapadmin"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw          welcome

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /home/openldap/openldap-2.4.21-install/var/openldap-data

# Indices to maintain

index   objectClass     eq

index   c       eq

index   o       eq

index   ou      eq

index   sncertnr        eq

index   sncerthash      eq

index   snissuerkeyhash eq

index   snissuernamehash        eq

 

 

Does anybody have an idea?

Executing this command against a Sun DS 6 server doesn’t generate this problem.

 

 

Regards,

Hartmut