Michael Ströder wrote:

HI!

Looking at comments in ITS#9251 I wonder if and how one should set -DSLAPD_MAX_FILTER_DEPTH= when building OpenLDAP downstream packages.

Better to take this in context of ITS#9202 which is the original report.

To me the default of 5000 looks way too high.

Indeed. The only reason to limit this in the first place was to prevent a potential stack overrun, which could occur at a depth of over 38000.

It would be really helpful to have a metric of maximum filter depth sent in by clients in cn=monitor.

For all practical purposes, it doesn't matter what number you choose as long as it's smaller than 38000.

Anyway, you'll get an ADMINLIMIT_EXCEEDED error if a client hits the limit, so there's no point worrying about it until then.

Ciao, Michael.