openldap sizelimit. Can't receive more than 500 entries

query ldap openldap

I can't receive more than 500 entries, when I query my openldap-server.

Although I made the following changes:

slapd.conf

    # This is the main slapd configuration file. See slapd.conf(5) for more
    # info on the configuration options.

    #######################################################################
    # Global Directives:       
    .....

     # The maximum number of entries that is returned for a search operation
    sizelimit 10000

ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

SIZELIMIT       10000
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

After restartin my machine, and query the following command:

ldapsearch -x -h localhost -b "dc=XXX,dc=XXX,dc=XXX"

I receive:

# search result
search: 2
result: 4 Size limit exceeded

# numResponses: 501
# numEntries: 500

Did I miss some necessary changes?


Solution 1:

OpenLDAP search limit can be set at server side or client side.

1. Server side in database section of slapd.conf (old style configuration deprecated but steel usable) or cn=config (recommended)

Globally by database:

slapd.conf

sizelimit <numberOfMaxResult>

cn=config

olcSizeLimit: <numberOfMaxResult>

This parameter is not mandatory, default is 500.

Per user:

slapd.conf

limits <Who> size=<numberOfMaxResult>

cn=config

olcLimits: <Who> size=<numberOfMaxResult>

In all cases

Who may be :

* : all

anonymous : not connected user

users : all connected users

dn.exact="cn=xxxx,ou=people... : one user

group/groupOfNames/member="cn=managers,ou=groups...: group of users

numberOfMaxResult may be:

unlimited : unlimited size, it's a very bad idea to use this configuration in production

number (like 300): number of max result records.

If both globally and per user limit size are done, per user limit is applied.

2. Client side

in ldap.conf client configuration file:

SIZELIMIT <numberOfMaxResult>

Request parameter

ldapsearch -z 10 ... limit result to 10

All client API should provide such parameter.

If both server side and client side limit size are done, The smallest number is applied.

This is a short summary, for further informations in this topic:

man slapd.conf
man slapd-config

Limits configuration in OpenLDAP Administrator's guide.

Related

diffrence between virtual machine storage and san storage
Slow storage spaces direct S2D setup
Synology HA active-passive performance and failover
Is a VPS with some resources the same as a Dedicated server with exactly same resources?
Why http2 doesn't work on my Apache/2.4.29?
Can the network still work when DNS & DHCP go offline?
Postfix: How to accept email with valid SPF but unresolvable hostname?
vSphere Replication Performance Impact
Can I put the MySQL binlogs on a slow disk?
Use a wild card in StackDriver Logging
Windows server 2019 install not showing GUI options
SSH: In private network how to access the remote machine from source machine without using ssh public key