Hi,

We found an odd issue when using LDAP Admin (www.ldapadmin.org), which by defaults uses the paged results control (RFC 2696) to limit search results.

This client initially issues an objectclass=* search with one-level scope to list the first-level objects/trees on the LDAP DIT, which you can then browse/expand by clicking on them.

On a large db, we noticed this initial search hits the timelimit, even though the equivalent command line search is instant. I found the difference is in using the paged result control:

ldapsearch -s one -E !pr=100 objectclass=* objectclass => slow ldapsearch -s one objectclass=* objectclass => fast

The slapd stats+trace logging of each is in attachment. Notice the large number of objects being skipped with "scope not okay" in the first, where this does not happen in the second. This slows down the search, and on a very large db, makes it exceed the configured 60 seconds timelimit.

A third variant, setting the sizelimit explicitly, avoids the issue:

ldapsearch -s one -E !pr=100 -z 100 objectclass=* objectclass => fast

Is this expected behaviour?

Geert