openldap sizelimit. Can't receive more than 500 entries

Question

I can't receive more than 500 entries, when I query my openldap-server.

Although I made the following changes:

slapd.conf

    # This is the main slapd configuration file. See slapd.conf(5) for more
    # info on the configuration options.

    #######################################################################
    # Global Directives:       
    .....

     # The maximum number of entries that is returned for a search operation
    sizelimit 10000

ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

SIZELIMIT       10000
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

After restartin my machine, and query the following command:

ldapsearch -x -h localhost -b "dc=XXX,dc=XXX,dc=XXX"

I receive:

# search result
search: 2
result: 4 Size limit exceeded

# numResponses: 501
# numEntries: 500

Did I miss some necessary changes?

Can you run a `ldapsearch -x -h localhost -z 0 -b "dc=example,dc=org"`? If you receive a size limit you know it is enforced by the server. — 473183469, Feb 09 '17 at 13:06
Tried this bevore. I reveice a sizelimit. So how can I fix this ?:( — JMAD2016, Feb 09 '17 at 13:14
So it has to do with server settings. Please control you don't have another `sizelimit` directive in database section of `slapd.conf`. — 473183469, Feb 09 '17 at 13:54
So, how did you solve it in the end? I'm trying it in slapd.conf with sizelimit . It doesn't work. — Sergei Sirik, Nov 16 '21 at 20:50

Abdelhamid MEDDEB · Accepted Answer · 2017-02-11T09:09:01.810

OpenLDAP search limit can be set at server side or client side.

1. Server side in database section of slapd.conf (old style configuration deprecated but steel usable) or cn=config (recommended)

Globally by database:

slapd.conf

sizelimit <numberOfMaxResult>

cn=config

olcSizeLimit: <numberOfMaxResult>

This parameter is not mandatory, default is 500.

Per user:

slapd.conf

limits <Who> size=<numberOfMaxResult>

cn=config

olcLimits: <Who> size=<numberOfMaxResult>

In all cases

Who may be :

* : all

anonymous : not connected user

users : all connected users

dn.exact="cn=xxxx,ou=people... : one user

group/groupOfNames/member="cn=managers,ou=groups...: group of users

numberOfMaxResult may be:

unlimited : unlimited size, it's a very bad idea to use this configuration in production

number (like 300): number of max result records.

If both globally and per user limit size are done, per user limit is applied.

2. Client side

in ldap.conf client configuration file:

SIZELIMIT <numberOfMaxResult>

Request parameter

ldapsearch -z 10 ... limit result to 10

All client API should provide such parameter.

If both server side and client side limit size are done, The smallest number is applied.

This is a short summary, for further informations in this topic:

man slapd.conf
man slapd-config

Limits configuration in OpenLDAP Administrator's guide.

but this guy "cn=config" is a directory, so how to add there this param? — Sergei Sirik, Nov 17 '21 at 00:10

openldap sizelimit. Can't receive more than 500 entries

1 Answers1