My Oracle Support Banner

OUD 11g - Size Limit is Incorrectly Enforced When Sub-Suffix Backend is Involved (Doc ID 2408684.1)

Last updated on FEBRUARY 03, 2019

Applies to:

Oracle Unified Directory - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Symptoms

Steps to reproduce the issue that help to illustrate the problem as well...

1. Create a single OUD instance and pre-load it with auto-generated data so that 250,000 user entries are created.
2. Allow for unindexed searches and set lookthrough and size limits to 500K each...

>>>> Configure the properties of the Global Configuration
Property Value(s)

 

----------------------------------------------------------------------
1) bind-with-dn-requires-password true
2) certificate-mapper Subject Equals DN
3) default-password-policy Default Password Policy
4) disabled-privilege unindexed-search
5) entry-cache-preload false
6) etime-resolution milliseconds
7) generic-identity-mapper Exact Match
8) gssapi-identity-mapper Match And Replace
9) idle-time-limit 0 ms
10) import-big-entries-memory-percent 10
11) lockdown-mode false
12) lookthrough-limit 500000
13) max-allowed-client-connections 0
14) max-psearches unlimited
15) non-dn-simple-bind-allowed false
16) reject-unauthenticated-requests false
17) return-bind-error-messages false
18) save-config-on-successful-startup true
19) size-limit 500000
20) smtp-server If no values are defined, then the
server cannot send email via SMTP.
21) time-limit 1 m
22) writability-mode enabled

 

?) help
f) finish - apply any changes to the Global Configuration
c) cancel
q) quit

 

Enter choice [f]:

3. Define the necessary ACI to allow for anonymous access to the dc=example,dc=com suffix.  The ACI should look something like so...

[oracle@brighton bin]$ ./ldapsearch -p 3389 -D "cn=directory manager" -w dirmanager -b "dc=example,dc=com" aci=* aci
dn: dc=example,dc=com
aci: (targetattr = "* || +")(targetscope = "subtree") (version 3.0; acl "alllow anonymous access"; allow (read,compare,search) userdn = "ldap:///anyone";)
[oracle@brighton bin]$


4. Add sub-suffix of "ou=contractors,dc=example,dc=com" and populate it with roughly 100K entries, after which, the OUD instance looks like so...

[oracle@brighton bin]$ ./status
>>>> Specify Oracle Unified Directory LDAP connection parameters

 

Administrator user bind DN [cn=Directory Manager]:

 

Password for user 'cn=Directory Manager':

 

--- Server Status ---
Server Run Status: Started
Open Connections: 2

 

--- Server Details ---
Host Name: brighton
Administrative Users: cn=Directory Manager
Installation Path: /home/oracle/ora7/mw/oud
Instance Path: /home/oracle/ora7/mw/asinst_3/OUD
Version: Oracle Unified Directory 11.1.2.3.170718
Java Version: 1.7.0_80
Administration Connector: Port 3444 (LDAPS)

 

--- Connection Handlers ---
Address:Port : Protocol : State
-------------:------------------------:---------
-- : LDIF : Disabled
0.0.0.0:161 : SNMP : Disabled
0.0.0.0:1689 : JMX : Disabled
0.0.0.0:3389 : LDAP (allows StartTLS) : Enabled
0.0.0.0:3636 : LDAPS : Enabled

 

--- Data Sources ---
Base DN: cn=virtual acis
Backend ID: virtualAcis
Entries: 0
Replication: Disabled

 

Base DN: dc=example,dc=com
Backend ID: userRoot
Entries: 250002
Replication: Disabled

 

Base DN: ou=contractors,dc=example,dc=com
Backend ID: contractorDB
Entries: 99988
Replication: Disabled

 

[oracle@brighton bin]$

 

5. A size limit of 500K leads to the following search result...

[oracle@brighton bin]$ ./ldapsearch -p 3389 -b "dc=example,dc=com" objectclass=* dn | grep "^dn:" | wc -l
SEARCH operation failed
Result Code: 4 (Size Limit Exceeded)
Additional Information: This search operation has sent the maximum of 249998 entries to the client
250002
[oracle@brighton bin]$

6. If the size limit is changed to 0, then the expected search result is arrived at...

[oracle@brighton bin]$ ./ldapsearch -p 3389 -b "dc=example,dc=com" objectclass=* dn | grep "^dn:" | wc -l
349990
[oracle@brighton bin]$

Since the total number of entries (349990) between the suffix of "dc=example,dc=com" and sub-suffix of "ou=contractors,dc=example,dc=com" is less than the size limit of 500K, the expectation is that the search should return all 349990 entries and not yield a LDAP error 4 (Size Limit Exceeded).

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.