#4398 search limits applied in indirect membership processing
Closed: Fixed None Opened 9 years ago by pviktori.

AFAIU, the expected behavior of --sizelimit=1 is to return one entry,setting truncated=True in the API response.

However, ldap2's member[of]indirect processing does additional query, and applies the limit to that.
If the returned entry has more than one member, this results in a LimitsExceeded error.

$ ipa permission_find 'Modify' --attrs=ipaenabledflag --sizelimit=1
ipa: ERROR: limits exceeded for this query

The question is qhat to do here. Not apply any limits, relying on the fact that the searched-for attributes are indexed? Apply global limits (only in case they're larger than the requested ones, so increasing limits is still possible)? Or declare this behavior as expected?

I prefer using the max of global/requested limits when calculating membership.

master:

  • 73b2d0a ldap2 indirect membership processing: Use global limits if greater than per-query ones

ipa-4-1:

  • 73b2d0a ldap2 indirect membership processing: Use global limits if greater than per-query ones

ipa-4-0:

  • 73b2d0a ldap2 indirect membership processing: Use global limits if greater than per-query ones

Metadata Update from @pviktori:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 4.0.1

7 years ago

Login to comment on this ticket.

Metadata