AFAIU, the expected behavior of --sizelimit=1 is to return one entry,setting truncated=True in the API response.
--sizelimit=1
truncated=True
However, ldap2's member[of]indirect processing does additional query, and applies the limit to that. If the returned entry has more than one member, this results in a LimitsExceeded error.
LimitsExceeded
$ ipa permission_find 'Modify' --attrs=ipaenabledflag --sizelimit=1 ipa: ERROR: limits exceeded for this query
The question is qhat to do here. Not apply any limits, relying on the fact that the searched-for attributes are indexed? Apply global limits (only in case they're larger than the requested ones, so increasing limits is still possible)? Or declare this behavior as expected?
I prefer using the max of global/requested limits when calculating membership.
+1 for that from me.
master:
ipa-4-1:
ipa-4-0:
Metadata Update from @pviktori: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 4.0.1
Login to comment on this ticket.