OUD 11g - Size Limit is Incorrectly Enforced When Sub-Suffix Backend is Involved
(Doc ID 2408684.1)
Last updated on APRIL 14, 2022
Applies to:
Oracle Unified Directory - Version 11.1.2.3.0 and laterInformation in this document applies to any platform.
Symptoms
Steps to reproduce the issue that help to illustrate the problem as well...
1. Create a single OUD instance and pre-load it with auto-generated data so that 250,000 user entries are created.
2. Allow for unindexed searches and set lookthrough and size limits to 500K each...
>>>> Configure the properties of the Global Configuration
Property Value(s)
----------------------------------------------------------------------
1) bind-with-dn-requires-password true
2) certificate-mapper Subject Equals DN
3) default-password-policy Default Password Policy
4) disabled-privilege unindexed-search
5) entry-cache-preload false
6) etime-resolution milliseconds
7) generic-identity-mapper Exact Match
8) gssapi-identity-mapper Match And Replace
9) idle-time-limit 0 ms
10) import-big-entries-memory-percent 10
11) lockdown-mode false
12) lookthrough-limit 500000
13) max-allowed-client-connections 0
14) max-psearches unlimited
15) non-dn-simple-bind-allowed false
16) reject-unauthenticated-requests false
17) return-bind-error-messages false
18) save-config-on-successful-startup true
19) size-limit 500000
20) smtp-server If no values are defined, then the
server cannot send email via SMTP.
21) time-limit 1 m
22) writability-mode enabled
?) help
f) finish - apply any changes to the Global Configuration
c) cancel
q) quit
Enter choice [f]:
3. Define the necessary ACI to allow for anonymous access to the dc=example,dc=com suffix. The ACI should look something like so...
dn: <SUFFIX_DN>
aci: (targetattr = "* || +")(targetscope = "subtree") (version 3.0; acl "alllow anonymous access"; allow (read,compare,search) userdn = "ldap:///anyone";)
$
4. Add sub-suffix of "ou=contractors,<SUFFIX_DN>" and populate it with roughly 100K entries, after which, the OUD instance looks like so...
$ ./status
>>>> Specify Oracle Unified Directory LDAP connection parameters
Administrator user bind DN [cn=<DS_ADMIN>]:
Password for user 'cn=<DS_ADMIN>':
--- Server Status ---
Server Run Status: Started
Open Connections: 2
--- Server Details ---
Host Name: <HOSTNAME>
Administrative Users: cn=<DS_ADMIN>
Installation Path: <INSTALL_PATH>
Instance Path: <INSTANCE_PATH>
Version: Oracle Unified Directory 11.1.2.3.170718
Java Version: 1.7.0_80
Administration Connector: Port <ADMIN_PORT> (LDAPS)
--- Connection Handlers ---
Address:Port : Protocol : State
-------------:------------------------:---------
-- : LDIF : Disabled
0.0.0.0:<SNMP_PORT> : SNMP : Disabled
0.0.0.0:<JMX_PORT> : JMX : Disabled
0.0.0.0:<LDAP_PORT> : LDAP (allows StartTLS) : Enabled
0.0.0.0:<LDAPS_PORT> : LDAPS : Enabled
--- Data Sources ---
Base DN: cn=virtual acis
Backend ID: virtualAcis
Entries: 0
Replication: Disabled
Base DN: <SUFFIX_DN>
Backend ID: userRoot
Entries: 250002
Replication: Disabled
Base DN: ou=contractors,<SUFFIX_DN>
Backend ID: contractorDB
Entries: 99988
Replication: Disabled
$
5. A size limit of 500K leads to the following search result...
SEARCH operation failed
Result Code: 4 (Size Limit Exceeded)
Additional Information: This search operation has sent the maximum of 249998 entries to the client
250002
$
6. If the size limit is changed to 0, then the expected search result is arrived at...
349990
$
Since the total number of entries (349990) between the suffix of "<SUFFIX_DN>" and sub-suffix of "ou=contractors,<SUFFIX_DN>" is less than the size limit of 500K, the expectation is that the search should return all 349990 entries and not yield a LDAP error 4 (Size Limit Exceeded).
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |