6

I can't receive more than 500 entries, when I query my openldap-server.

Although I made the following changes:

slapd.conf

    # This is the main slapd configuration file. See slapd.conf(5) for more
    # info on the configuration options.

    #######################################################################
    # Global Directives:       
    .....

     # The maximum number of entries that is returned for a search operation
    sizelimit 10000

ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

SIZELIMIT       10000
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

After restartin my machine, and query the following command:

ldapsearch -x -h localhost -b "dc=XXX,dc=XXX,dc=XXX"

I receive:

# search result
search: 2
result: 4 Size limit exceeded

# numResponses: 501
# numEntries: 500

Did I miss some necessary changes?

JMAD2016
  • 63
  • 1
  • 1
  • 3

1 Answers1

13

OpenLDAP search limit can be set at server side or client side.

1. Server side in database section of slapd.conf (old style configuration deprecated but steel usable) or cn=config (recommended)

Globally by database:

slapd.conf

sizelimit <numberOfMaxResult>

cn=config

olcSizeLimit: <numberOfMaxResult>

This parameter is not mandatory, default is 500.

Per user:

slapd.conf

limits <Who> size=<numberOfMaxResult>

cn=config

olcLimits: <Who> size=<numberOfMaxResult>

In all cases

Who may be :

* : all

anonymous : not connected user

users : all connected users

dn.exact="cn=xxxx,ou=people... : one user

group/groupOfNames/member="cn=managers,ou=groups...: group of users

numberOfMaxResult may be:

unlimited : unlimited size, it's a very bad idea to use this configuration in production

number (like 300): number of max result records.

If both globally and per user limit size are done, per user limit is applied.

2. Client side

in ldap.conf client configuration file:

SIZELIMIT <numberOfMaxResult>

Request parameter

ldapsearch -z 10 ... limit result to 10

All client API should provide such parameter.

If both server side and client side limit size are done, The smallest number is applied.

This is a short summary, for further informations in this topic:

man slapd.conf
man slapd-config

Limits configuration in OpenLDAP Administrator's guide.