My Oracle Support Banner

OUD 11g - Size Limit is Incorrectly Enforced When Sub-Suffix Backend is Involved (Doc ID 2408684.1)

Last updated on APRIL 14, 2022

Applies to:

Oracle Unified Directory - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Symptoms

Steps to reproduce the issue that help to illustrate the problem as well...

1. Create a single OUD instance and pre-load it with auto-generated data so that 250,000 user entries are created.
2. Allow for unindexed searches and set lookthrough and size limits to 500K each...

>>>> Configure the properties of the Global Configuration
Property Value(s)

 

----------------------------------------------------------------------
1) bind-with-dn-requires-password true
2) certificate-mapper Subject Equals DN
3) default-password-policy Default Password Policy
4) disabled-privilege unindexed-search
5) entry-cache-preload false
6) etime-resolution milliseconds
7) generic-identity-mapper Exact Match
8) gssapi-identity-mapper Match And Replace
9) idle-time-limit 0 ms
10) import-big-entries-memory-percent 10
11) lockdown-mode false
12) lookthrough-limit 500000
13) max-allowed-client-connections 0
14) max-psearches unlimited
15) non-dn-simple-bind-allowed false
16) reject-unauthenticated-requests false
17) return-bind-error-messages false
18) save-config-on-successful-startup true
19) size-limit 500000
20) smtp-server If no values are defined, then the
server cannot send email via SMTP.
21) time-limit 1 m
22) writability-mode enabled

 

?) help
f) finish - apply any changes to the Global Configuration
c) cancel
q) quit

 

Enter choice [f]:

3. Define the necessary ACI to allow for anonymous access to the dc=example,dc=com suffix.  The ACI should look something like so...

$ ./ldapsearch -p <LDAP_PORT> -D "cn=<DS_ADMIN>" -w <PASSWORD> -b "<SUFFIX_DN>" aci=* aci
dn: <SUFFIX_DN>
aci: (targetattr = "* || +")(targetscope = "subtree") (version 3.0; acl "alllow anonymous access"; allow (read,compare,search) userdn = "ldap:///anyone";)
$


4. Add sub-suffix of "ou=contractors,<SUFFIX_DN>" and populate it with roughly 100K entries, after which, the OUD instance looks like so...

$ ./status
>>>> Specify Oracle Unified Directory LDAP connection parameters

 

Administrator user bind DN [cn=<DS_ADMIN>]:

 

Password for user 'cn=<DS_ADMIN>':

 

--- Server Status ---
Server Run Status: Started
Open Connections: 2

 

--- Server Details ---
Host Name: <HOSTNAME>
Administrative Users: cn=<DS_ADMIN>
Installation Path: <INSTALL_PATH>
Instance Path: <INSTANCE_PATH>
Version: Oracle Unified Directory 11.1.2.3.170718
Java Version: 1.7.0_80
Administration Connector: Port <ADMIN_PORT> (LDAPS)

 

--- Connection Handlers ---
Address:Port : Protocol : State
-------------:------------------------:---------
-- : LDIF : Disabled
0.0.0.0:<SNMP_PORT> : SNMP : Disabled
0.0.0.0:<JMX_PORT> : JMX : Disabled
0.0.0.0:<LDAP_PORT> : LDAP (allows StartTLS) : Enabled
0.0.0.0:<LDAPS_PORT> : LDAPS : Enabled

 

--- Data Sources ---
Base DN: cn=virtual acis
Backend ID: virtualAcis
Entries: 0
Replication: Disabled

 

Base DN: <SUFFIX_DN>
Backend ID: userRoot
Entries: 250002
Replication: Disabled

 

Base DN: ou=contractors,<SUFFIX_DN>
Backend ID: contractorDB
Entries: 99988
Replication: Disabled

 

$

 

5. A size limit of 500K leads to the following search result...

$ ./ldapsearch -p <LDAP_PORT> -b "<SUFFIX_DN>" objectclass=* dn | grep "^dn:" | wc -l
SEARCH operation failed
Result Code: 4 (Size Limit Exceeded)
Additional Information: This search operation has sent the maximum of 249998 entries to the client
250002
$

6. If the size limit is changed to 0, then the expected search result is arrived at...

$ ./ldapsearch -p <LDAP_PORT> -b "<SUFFIX_DN>" objectclass=* dn | grep "^dn:" | wc -l
349990
$

Since the total number of entries (349990) between the suffix of "<SUFFIX_DN>" and sub-suffix of "ou=contractors,<SUFFIX_DN>" is less than the size limit of 500K, the expectation is that the search should return all 349990 entries and not yield a LDAP error 4 (Size Limit Exceeded).

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.