Hello,
I am running OpenLDAP 2.4.31. Tried to disable simple paged results - rfc 2696 with: dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: size.prtotal=disabled
The ldapmodify(1) does not complain, yet the change does not affect my server.
My goal is to have clients receive something like "Unavailable Critical Extension" as a response. Is what I am attempting to do expected to disable simple paged results for all clients [and DITs]? Is it even possible? Am I going right about disabling paging control?
Thank you,
Igor Shmukler
Am Tue, 1 Sep 2015 13:21:51 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello,
I am running OpenLDAP 2.4.31. Tried to disable simple paged results - rfc 2696 with: dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: size.prtotal=disabled
The ldapmodify(1) does not complain, yet the change does not affect my server.
My goal is to have clients receive something like "Unavailable Critical Extension" as a response. Is what I am attempting to do expected to disable simple paged results for all clients [and DITs]? Is it even possible? Am I going right about disabling paging control?
slapd silently ignores the control request, but sizelimit still comes into effect.
-Dieter
Hello Dieter,
Thank you for replying.
slapd silently ignores the control request, but sizelimit still comes into effect.
Given that, as well as the other relevant information...
Is "olcSizieLimit: size.prtotal=disabled" not affecting the response, a bug in OpenLDAP 2.4.x, or did I incorrectly understand the documentation? If it is a bug, should it be filed? How would one go about disabling simple paged results [having the OpenLDAP server respond with critical extension unavailable or similar]? Is restricting access to the control with an ACL is the way to go?
Thank you,
Igor Shmukler
Am Wed, 2 Sep 2015 08:38:42 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello Dieter,
Thank you for replying.
slapd silently ignores the control request, but sizelimit still comes into effect.
Given that, as well as the other relevant information...
Is "olcSizieLimit: size.prtotal=disabled" not affecting the response, a bug in OpenLDAP 2.4.x, or did I incorrectly understand the documentation? If it is a bug, should it be filed? How would one go about disabling simple paged results [having the OpenLDAP server respond with critical extension unavailable or similar]? Is restricting access to the control with an ACL is the way to go?
I have overlooked a few mistakes of yours :-(
1. you modified the global configuration part, that is cn=config, and not a database part. 2. you configured a sizelimit, not a limit.
slapd.conf(5) clearly states:
GENERAL DATABASE OPTIONS Options in this section only apply to the configuration file section for the database in which they are defined. 'limits' is specified within the general database options, size.prtotal is defined within the 'limits' section.
-Dieter
Am Wed, 2 Sep 2015 10:05:13 +0200 schrieb Dieter Klünter dieter@dkluenter.de:
Am Wed, 2 Sep 2015 08:38:42 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello Dieter,
Thank you for replying.
slapd silently ignores the control request, but sizelimit still comes into effect.
Given that, as well as the other relevant information...
Is "olcSizieLimit: size.prtotal=disabled" not affecting the response, a bug in OpenLDAP 2.4.x, or did I incorrectly understand the documentation? If it is a bug, should it be filed? How would one go about disabling simple paged results [having the OpenLDAP server respond with critical extension unavailable or similar]? Is restricting access to the control with an ACL is the way to go?
I have overlooked a few mistakes of yours :-(
- you modified the global configuration part, that is cn=config, and not a database part.
- you configured a sizelimit, not a limit.
slapd.conf(5) clearly states:
GENERAL DATABASE OPTIONS Options in this section only apply to the configuration file section for the database in which they are defined. 'limits' is specified within the general database options, size.prtotal is defined within the 'limits' section.
I must correct myself, either configuration works.
dn:cn=config ... olcSizeLimit: size.prtotal=disabled
or
dn:olcDatabase={1}mdb olcSuffix: o=avci,c=de ... olclimits={2}dn.this.children="o=avci,c=de" size.prtotal=disabled
in both cases i receive result code 11.
-Dieter
Hello DIeter,
Thank you for the clarification. I modified the LDIF to apply the page size limit to a specific database. Now, slapcat(8) shows limits for my DIT database: olcSizeLimit: size.prtotal=disabled olcLimits: {0}dn=* size.soft=unlimited size.hard=unlimited
The only difference from an example that I found - in my configuration olcSizeLimit comes before olcLimits. Hopefully, this is not the problem.
The server however still does process paged results as below: # extended LDIF # # LDAPv3 # base <dc=sssvlv,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # with pagedResults critical control: size=5 #
# sssvlv.com dn: dc=sssvlv,dc=com objectClass: top
Is there a requirement to apply olcLimits before olcSizeLImit?
Sincerely,
Igor Shmukler
On Wed, Sep 2, 2015 at 11:05 AM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 2 Sep 2015 08:38:42 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello Dieter,
Thank you for replying.
slapd silently ignores the control request, but sizelimit still comes into effect.
Given that, as well as the other relevant information...
Is "olcSizieLimit: size.prtotal=disabled" not affecting the response, a bug in OpenLDAP 2.4.x, or did I incorrectly understand the documentation? If it is a bug, should it be filed? How would one go about disabling simple paged results [having the OpenLDAP server respond with critical extension unavailable or similar]? Is restricting access to the control with an ACL is the way to go?
I have overlooked a few mistakes of yours :-(
- you modified the global configuration part, that is cn=config, and not a database part.
- you configured a sizelimit, not a limit.
slapd.conf(5) clearly states:
GENERAL DATABASE OPTIONS Options in this section only apply to the configuration file section for the database in which they are defined. 'limits' is specified within the general database options, size.prtotal is defined within the 'limits' section.
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Am Wed, 2 Sep 2015 12:50:59 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello DIeter,
Thank you for the clarification. I modified the LDIF to apply the page size limit to a specific database. Now, slapcat(8) shows limits for my DIT database: olcSizeLimit: size.prtotal=disabled olcLimits: {0}dn=* size.soft=unlimited size.hard=unlimited
size.hard=unlimited is you problem. From slapd.conf(5)
If pagedResults control is requested, the hard size limit is used by default, Use unlimited to allow unlimited number of entries to be returned, e.g. to allow the use of the pagedResults control as a means to circumvent size limitations on regular searches;
-Dieter
The only difference from an example that I found - in my configuration olcSizeLimit comes before olcLimits. Hopefully, this is not the problem.
The server however still does process paged results as below: # extended LDIF # # LDAPv3 # base <dc=sssvlv,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # with pagedResults critical control: size=5 #
# sssvlv.com dn: dc=sssvlv,dc=com objectClass: top
Is there a requirement to apply olcLimits before olcSizeLImit?
Sincerely,
Igor Shmukler
On Wed, Sep 2, 2015 at 11:05 AM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 2 Sep 2015 08:38:42 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello Dieter,
Thank you for replying.
slapd silently ignores the control request, but sizelimit still comes into effect.
Given that, as well as the other relevant information...
Is "olcSizieLimit: size.prtotal=disabled" not affecting the response, a bug in OpenLDAP 2.4.x, or did I incorrectly understand the documentation? If it is a bug, should it be filed? How would one go about disabling simple paged results [having the OpenLDAP server respond with critical extension unavailable or similar]? Is restricting access to the control with an ACL is the way to go?
I have overlooked a few mistakes of yours :-(
- you modified the global configuration part, that is cn=config,
and not a database part. 2. you configured a sizelimit, not a limit.
slapd.conf(5) clearly states:
GENERAL DATABASE OPTIONS Options in this section only apply to the configuration file section for the database in which they are defined. 'limits' is specified within the general database options, size.prtotal is defined within the 'limits' section.
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Hi DIeter,
Thank you again. I changed the config. Now, slapcat shows: olcSizeLimit: size.prtotal=disabled olcLimits: {0}dn=* size.soft=1000 size.hard=1000 size.prtotal=disabled
Still the same story: # filter: (objectclass=*) # requesting: ALL # with pagedResults critical control: size=5 #
# sssvlv.com dn: dc=sssvlv,dc=com objectClass: top
Does it mean there is a bug?
Sincerely,
Igor Shmukler
On Wed, Sep 2, 2015 at 1:26 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 2 Sep 2015 12:50:59 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello DIeter,
Thank you for the clarification. I modified the LDIF to apply the page size limit to a specific database. Now, slapcat(8) shows limits for my DIT database: olcSizeLimit: size.prtotal=disabled olcLimits: {0}dn=* size.soft=unlimited size.hard=unlimited
size.hard=unlimited is you problem. From slapd.conf(5)
If pagedResults control is requested, the hard size limit is used by default, Use unlimited to allow unlimited number of entries to be returned, e.g. to allow the use of the pagedResults control as a means to circumvent size limitations on regular searches;
-Dieter
The only difference from an example that I found - in my configuration olcSizeLimit comes before olcLimits. Hopefully, this is not the problem.
The server however still does process paged results as below: # extended LDIF # # LDAPv3 # base <dc=sssvlv,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # with pagedResults critical control: size=5 #
# sssvlv.com dn: dc=sssvlv,dc=com objectClass: top
Is there a requirement to apply olcLimits before olcSizeLImit?
Sincerely,
Igor Shmukler
On Wed, Sep 2, 2015 at 11:05 AM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 2 Sep 2015 08:38:42 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello Dieter,
Thank you for replying.
slapd silently ignores the control request, but sizelimit still comes into effect.
Given that, as well as the other relevant information...
Is "olcSizieLimit: size.prtotal=disabled" not affecting the response, a bug in OpenLDAP 2.4.x, or did I incorrectly understand the documentation? If it is a bug, should it be filed? How would one go about disabling simple paged results [having the OpenLDAP server respond with critical extension unavailable or similar]? Is restricting access to the control with an ACL is the way to go?
I have overlooked a few mistakes of yours :-(
- you modified the global configuration part, that is cn=config,
and not a database part. 2. you configured a sizelimit, not a limit.
slapd.conf(5) clearly states:
GENERAL DATABASE OPTIONS Options in this section only apply to the configuration file section for the database in which they are defined. 'limits' is specified within the general database options, size.prtotal is defined within the 'limits' section.
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Am Wed, 2 Sep 2015 14:27:39 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hi DIeter,
Thank you again. I changed the config. Now, slapcat shows: olcSizeLimit: size.prtotal=disabled olcLimits: {0}dn=* size.soft=1000 size.hard=1000 size.prtotal=disabled
you should either user sizelimit or limit in order to disable pagedResults, but not both.
Still the same story: # filter: (objectclass=*) # requesting: ALL # with pagedResults critical control: size=5 #
# sssvlv.com dn: dc=sssvlv,dc=com objectClass: top
Does it mean there is a bug?
There is no bug, at least not since release 2.4.33. I tested it with 2.4.33, 2.4.36, 2.4.42. Mostlikly your configuration is missing some vital parameters.
-Dieter
On Wed, Sep 2, 2015 at 1:26 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 2 Sep 2015 12:50:59 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello DIeter,
Thank you for the clarification. I modified the LDIF to apply the page size limit to a specific database. Now, slapcat(8) shows limits for my DIT database: olcSizeLimit: size.prtotal=disabled olcLimits: {0}dn=* size.soft=unlimited size.hard=unlimited
size.hard=unlimited is you problem. From slapd.conf(5)
If pagedResults control is requested, the hard size limit is used by default, Use unlimited to allow unlimited number of entries to be returned, e.g. to allow the use of the pagedResults control as a means to circumvent size limitations on regular searches;
-Dieter
The only difference from an example that I found - in my configuration olcSizeLimit comes before olcLimits. Hopefully, this is not the problem.
The server however still does process paged results as below: # extended LDIF # # LDAPv3 # base <dc=sssvlv,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # with pagedResults critical control: size=5 #
# sssvlv.com dn: dc=sssvlv,dc=com objectClass: top
Is there a requirement to apply olcLimits before olcSizeLImit?
Sincerely,
Igor Shmukler
On Wed, Sep 2, 2015 at 11:05 AM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 2 Sep 2015 08:38:42 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello Dieter,
Thank you for replying.
slapd silently ignores the control request, but sizelimit still comes into effect.
Given that, as well as the other relevant information...
Is "olcSizieLimit: size.prtotal=disabled" not affecting the response, a bug in OpenLDAP 2.4.x, or did I incorrectly understand the documentation? If it is a bug, should it be filed? How would one go about disabling simple paged results [having the OpenLDAP server respond with critical extension unavailable or similar]? Is restricting access to the control with an ACL is the way to go?
I have overlooked a few mistakes of yours :-(
- you modified the global configuration part, that is cn=config,
and not a database part. 2. you configured a sizelimit, not a limit.
slapd.conf(5) clearly states:
GENERAL DATABASE OPTIONS Options in this section only apply to the configuration file section for the database in which they are defined. 'limits' is specified within the general database options, size.prtotal is defined within the 'limits' section.
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
$ slapd -V @(#) $OpenLDAP: slapd (Ubuntu) (Mar 17 2014 21:20:08) $
I tried olcSizeLimit, before adding olcSizeLimits. Perhaps there is a bug.
On Wed, Sep 2, 2015 at 3:55 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 2 Sep 2015 14:27:39 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hi DIeter,
Thank you again. I changed the config. Now, slapcat shows: olcSizeLimit: size.prtotal=disabled olcLimits: {0}dn=* size.soft=1000 size.hard=1000 size.prtotal=disabled
you should either user sizelimit or limit in order to disable pagedResults, but not both.
Still the same story: # filter: (objectclass=*) # requesting: ALL # with pagedResults critical control: size=5 #
# sssvlv.com dn: dc=sssvlv,dc=com objectClass: top
Does it mean there is a bug?
There is no bug, at least not since release 2.4.33. I tested it with 2.4.33, 2.4.36, 2.4.42. Mostlikly your configuration is missing some vital parameters.
-Dieter
On Wed, Sep 2, 2015 at 1:26 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 2 Sep 2015 12:50:59 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello DIeter,
Thank you for the clarification. I modified the LDIF to apply the page size limit to a specific database. Now, slapcat(8) shows limits for my DIT database: olcSizeLimit: size.prtotal=disabled olcLimits: {0}dn=* size.soft=unlimited size.hard=unlimited
size.hard=unlimited is you problem. From slapd.conf(5)
If pagedResults control is requested, the hard size limit is used by default, Use unlimited to allow unlimited number of entries to be returned, e.g. to allow the use of the pagedResults control as a means to circumvent size limitations on regular searches;
-Dieter
The only difference from an example that I found - in my configuration olcSizeLimit comes before olcLimits. Hopefully, this is not the problem.
The server however still does process paged results as below: # extended LDIF # # LDAPv3 # base <dc=sssvlv,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # with pagedResults critical control: size=5 #
# sssvlv.com dn: dc=sssvlv,dc=com objectClass: top
Is there a requirement to apply olcLimits before olcSizeLImit?
Sincerely,
Igor Shmukler
On Wed, Sep 2, 2015 at 11:05 AM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 2 Sep 2015 08:38:42 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello Dieter,
Thank you for replying.
> slapd silently ignores the control request, but sizelimit > still comes into effect.
Given that, as well as the other relevant information...
Is "olcSizieLimit: size.prtotal=disabled" not affecting the response, a bug in OpenLDAP 2.4.x, or did I incorrectly understand the documentation? If it is a bug, should it be filed? How would one go about disabling simple paged results [having the OpenLDAP server respond with critical extension unavailable or similar]? Is restricting access to the control with an ACL is the way to go?
I have overlooked a few mistakes of yours :-(
- you modified the global configuration part, that is cn=config,
and not a database part. 2. you configured a sizelimit, not a limit.
slapd.conf(5) clearly states:
GENERAL DATABASE OPTIONS Options in this section only apply to the configuration file section for the database in which they are defined. 'limits' is specified within the general database options, size.prtotal is defined within the 'limits' section.
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Am Wed, 2 Sep 2015 15:59:28 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
$ slapd -V @(#) $OpenLDAP: slapd (Ubuntu) (Mar 17 2014 21:20:08) $
I tried olcSizeLimit, before adding olcSizeLimits. Perhaps there is a bug.
Ther is no bug. Read the manual page slapd-config(5) on olclimits, base DN and DN type, pay attention to dn type 'this'.
-Dieter
On Wed, Sep 2, 2015 at 3:55 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 2 Sep 2015 14:27:39 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hi DIeter,
Thank you again. I changed the config. Now, slapcat shows: olcSizeLimit: size.prtotal=disabled olcLimits: {0}dn=* size.soft=1000 size.hard=1000 size.prtotal=disabled
you should either user sizelimit or limit in order to disable pagedResults, but not both.
Still the same story: # filter: (objectclass=*) # requesting: ALL # with pagedResults critical control: size=5 #
# sssvlv.com dn: dc=sssvlv,dc=com objectClass: top
Does it mean there is a bug?
There is no bug, at least not since release 2.4.33. I tested it with 2.4.33, 2.4.36, 2.4.42. Mostlikly your configuration is missing some vital parameters.
-Dieter
On Wed, Sep 2, 2015 at 1:26 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 2 Sep 2015 12:50:59 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello DIeter,
Thank you for the clarification. I modified the LDIF to apply the page size limit to a specific database. Now, slapcat(8) shows limits for my DIT database: olcSizeLimit: size.prtotal=disabled olcLimits: {0}dn=* size.soft=unlimited size.hard=unlimited
size.hard=unlimited is you problem. From slapd.conf(5)
If pagedResults control is requested, the hard size limit is used by default, Use unlimited to allow unlimited number of entries to be returned, e.g. to allow the use of the pagedResults control as a means to circumvent size limitations on regular searches;
-Dieter
The only difference from an example that I found - in my configuration olcSizeLimit comes before olcLimits. Hopefully, this is not the problem.
The server however still does process paged results as below: # extended LDIF # # LDAPv3 # base <dc=sssvlv,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # with pagedResults critical control: size=5 #
# sssvlv.com dn: dc=sssvlv,dc=com objectClass: top
Is there a requirement to apply olcLimits before olcSizeLImit?
Sincerely,
Igor Shmukler
On Wed, Sep 2, 2015 at 11:05 AM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 2 Sep 2015 08:38:42 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
> Hello Dieter, > > Thank you for replying. > > > slapd silently ignores the control request, but sizelimit > > still comes into effect. > > Given that, as well as the other relevant information... > > Is "olcSizieLimit: size.prtotal=disabled" not affecting the > response, a bug in OpenLDAP 2.4.x, or did I incorrectly > understand the documentation? If it is a bug, should it be > filed? How would one go about disabling simple paged results > [having the OpenLDAP server respond with critical extension > unavailable or similar]? Is restricting access to the control > with an ACL is the way to go?
I have overlooked a few mistakes of yours :-(
- you modified the global configuration part, that is
cn=config, and not a database part. 2. you configured a sizelimit, not a limit.
slapd.conf(5) clearly states:
GENERAL DATABASE OPTIONS Options in this section only apply to the configuration file section for the database in which they are defined. 'limits' is specified within the general database options, size.prtotal is defined within the 'limits' section.
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Thank you. Will try to understand the man page. Appreciate your help.
On Wed, Sep 2, 2015 at 4:59 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 2 Sep 2015 15:59:28 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
$ slapd -V @(#) $OpenLDAP: slapd (Ubuntu) (Mar 17 2014 21:20:08) $
I tried olcSizeLimit, before adding olcSizeLimits. Perhaps there is a bug.
Ther is no bug. Read the manual page slapd-config(5) on olclimits, base DN and DN type, pay attention to dn type 'this'.
-Dieter
On Wed, Sep 2, 2015 at 3:55 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 2 Sep 2015 14:27:39 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hi DIeter,
Thank you again. I changed the config. Now, slapcat shows: olcSizeLimit: size.prtotal=disabled olcLimits: {0}dn=* size.soft=1000 size.hard=1000 size.prtotal=disabled
you should either user sizelimit or limit in order to disable pagedResults, but not both.
Still the same story: # filter: (objectclass=*) # requesting: ALL # with pagedResults critical control: size=5 #
# sssvlv.com dn: dc=sssvlv,dc=com objectClass: top
Does it mean there is a bug?
There is no bug, at least not since release 2.4.33. I tested it with 2.4.33, 2.4.36, 2.4.42. Mostlikly your configuration is missing some vital parameters.
-Dieter
On Wed, Sep 2, 2015 at 1:26 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 2 Sep 2015 12:50:59 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello DIeter,
Thank you for the clarification. I modified the LDIF to apply the page size limit to a specific database. Now, slapcat(8) shows limits for my DIT database: olcSizeLimit: size.prtotal=disabled olcLimits: {0}dn=* size.soft=unlimited size.hard=unlimited
size.hard=unlimited is you problem. From slapd.conf(5)
If pagedResults control is requested, the hard size limit is used by default, Use unlimited to allow unlimited number of entries to be returned, e.g. to allow the use of the pagedResults control as a means to circumvent size limitations on regular searches;
-Dieter
The only difference from an example that I found - in my configuration olcSizeLimit comes before olcLimits. Hopefully, this is not the problem.
The server however still does process paged results as below: # extended LDIF # # LDAPv3 # base <dc=sssvlv,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # with pagedResults critical control: size=5 #
# sssvlv.com dn: dc=sssvlv,dc=com objectClass: top
Is there a requirement to apply olcLimits before olcSizeLImit?
Sincerely,
Igor Shmukler
On Wed, Sep 2, 2015 at 11:05 AM, Dieter Klünter dieter@dkluenter.de wrote: > Am Wed, 2 Sep 2015 08:38:42 +0300 > schrieb Igor Shmukler igor.shmukler@gmail.com: > >> Hello Dieter, >> >> Thank you for replying. >> >> > slapd silently ignores the control request, but sizelimit >> > still comes into effect. >> >> Given that, as well as the other relevant information... >> >> Is "olcSizieLimit: size.prtotal=disabled" not affecting the >> response, a bug in OpenLDAP 2.4.x, or did I incorrectly >> understand the documentation? If it is a bug, should it be >> filed? How would one go about disabling simple paged results >> [having the OpenLDAP server respond with critical extension >> unavailable or similar]? Is restricting access to the control >> with an ACL is the way to go? > > I have overlooked a few mistakes of yours :-( > > 1. you modified the global configuration part, that is > cn=config, and not a database part. > 2. you configured a sizelimit, not a limit. > > slapd.conf(5) clearly states: > > GENERAL DATABASE OPTIONS > Options in this section only apply to the configuration file > section for the database in which they are defined. > 'limits' is specified within the general database options, > size.prtotal is defined within the 'limits' section. > > -Dieter > > -- > Dieter Klünter | Systemberatung > http://sys4.de > GPG Key ID: E9ED159B > 53°37'09,95"N > 10°08'02,42"E >
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Am Wed, 2 Sep 2015 08:38:42 +0300 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello Dieter,
Thank you for replying.
slapd silently ignores the control request, but sizelimit still comes into effect.
Given that, as well as the other relevant information...
Is "olcSizieLimit: size.prtotal=disabled" not affecting the response, a bug in OpenLDAP 2.4.x, or did I incorrectly understand the documentation? If it is a bug, should it be filed? How would one go about disabling simple paged results [having the OpenLDAP server respond with critical extension unavailable or similar]? Is restricting access to the control with an ACL is the way to go?
In fact it does have influence on responses, but you have to initialise ctriticality.
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b ou=benchmark,o=avci,c=de -E'!pr=50/noprompt' "*" SASL/DIGEST-MD5 authentication started SASL username: xxxx SASL SSF: 128 SASL data security layer installed. Administrative limit exceeded (11) Additional information: pagedResults control not allowed
-Dieter
openldap-technical@openldap.org
-
Dieter Klünter -
Igor Shmukler