#967 sssd does not handle when paging control disabled for openldap
Closed: Fixed None Opened 12 years ago by sgallagh.

Description of problem:
Disabling paging control on openldap server, doesn't allow sssd to enumerate
any users against it since we cannot turn paging control off in sssd.

Version-Release number of selected component (if applicable):
sssd-1.5.1-43.el6

How reproducible:
Always

Steps to Reproduce:
1. Disable paging in openldap server:
olcSizeLimit: size.prtotal=disabled in /etc/openldap/slapd.d/cn\=config.ldif

2. ldapsearch with paging control fails:
ldapsearch -xv -h openldap.example.com -E pr=5  -b "dc=example,dc=com" gives:
# search result
search: 2
result: 11 Administrative limit exceeded
text: pagedResults control not allowed

3. However, ldapsearch without paging control works:
ldapsearch -xv -h openldap.example.com  -b "dc=example,dc=com"

...
...
# search result
search: 2
result: 0 Success

# numResponses: 40
# numEntries: 39


Actual results:
Since there is no way to disable paging support in sssd, we are not able to
enumerate any users.

/var/log/sssd/sssd_openldap.log shows:
(Thu Aug  4 07:09:26 2011) [sssd[be[openldap]]] [sdap_get_generic_done] (6):
Search result: Administrative limit exceeded(11), pagedResults control not
allowed
(Thu Aug  4 07:09:26 2011) [sssd[be[openldap]]] [sdap_get_generic_done] (2):
Unexpected result from ldap: Administrative limit exceeded(11), pagedResults
control not allowed
(Thu Aug  4 07:09:26 2011) [sssd[be[openldap]]] [sdap_get_users_process] (6):
Search for users, returned 0 results


Expected results:
sssd must allow to turn off paging control.

Additional info:

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.8.0

Moving to 1.7.91. Fixing this requires adding a new config option (which means it needs to be done before string freeze).

The solution will be to add an option {{{ldap_disable_paging}}} to force SSSD not to use the paging control, even if the RootDSE reports being able to do so.

This will also function as a workaround to a FreeIPA/389DS bug where only one paging control can be active on a single connection at a time. In high-load situations, this was causing intermittent failures with the error: "Server is unwilling to perform(53), Simple Paged Results Search already in progress on this connection"

blockedby: =>
blocking: =>
milestone: SSSD 1.8.0 => SSSD 1.7.91 (1.8.0 beta 1)
owner: somebody => sgallagh

Fields changed

status: new => assigned

Fields changed

patch: 0 => 1

Fixed by 8270b1b

resolution: => fixed
status: assigned => closed

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.8 beta

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2009

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata