Hello,
This patch fixes https://fedorahosted.org/freeipa/ticket/5640.
With not so much experience with the framework, it raises question in my
head whether ipaldap.get_entries is used properly throughout the system
- does it always assume that it gets ALL the requested entries or just a
few of those as configured by the 'ipaSearchRecordsLimit' attribute of
ipaConfig.etc which it actually gets?
One spot that I know the get_entries method was definitely not used
properly before this patch is in the
baseldap.LDAPObject.get_memberindirect() method:
692 result = self.backend.get_entries(
693 self.api.env.basedn,
694 filter=filter,
695 attrs_list=['member'],
696 size_limit=-1, # paged search will get everything
anyway
697 paged_search=True)
which to me seems kind of important if the environment size_limit is not
set properly :) The patch does not fix the non-propagation of the
paged_search, though.
Cheers,
Standa
From f76d301b418219b61a571e12ad7404eaf91a5046 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <[email protected]>
Date: Thu, 14 Jul 2016 13:53:56 +0200
Subject: [PATCH] Make get_entries() not ignore size_limit argument
The permission_find command would in some cases ignore
the sizelimit parameter passed to it. This was caused
by the ipaldap.get_entries() method not passing one of its
parameters further down.
https://fedorahosted.org/freeipa/ticket/5640
---
ipapython/ipaldap.py | 5 +++--
ipaserver/plugins/permission.py | 2 +-
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 704e71a9471c27430328a8c7c6a319aa72a9d482..74d985e8546ad2553bdac5a61da7df8acb6a0923 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -1283,7 +1283,7 @@ class LDAPClient(object):
return cls.combine_filters(flts, rules)
def get_entries(self, base_dn, scope=ldap.SCOPE_SUBTREE, filter=None,
- attrs_list=None, **kwargs):
+ attrs_list=None, size_limit=None, **kwargs):
"""Return a list of matching entries.
:raises: errors.LimitsExceeded if the list is truncated by the server
@@ -1298,7 +1298,8 @@ class LDAPClient(object):
for their description.
"""
entries, truncated = self.find_entries(
- base_dn=base_dn, scope=scope, filter=filter, attrs_list=attrs_list)
+ base_dn=base_dn, scope=scope, filter=filter, attrs_list=attrs_list,
+ size_limit=size_limit)
try:
self.handle_truncated_result(truncated)
except errors.LimitsExceeded as e:
diff --git a/ipaserver/plugins/permission.py b/ipaserver/plugins/permission.py
index 830773ae7a09f0197da702e4ec31b0b58f1214dd..e05fc0030c62583e0bcd495c22045274cae14660 100644
--- a/ipaserver/plugins/permission.py
+++ b/ipaserver/plugins/permission.py
@@ -1308,7 +1308,7 @@ class permission_find(baseldap.LDAPSearch):
legacy_entries = ldap.get_entries(
base_dn=DN(self.obj.container_dn, self.api.env.basedn),
filter=ldap.combine_filters(filters, rules=ldap.MATCH_ALL),
- attrs_list=attrs_list)
+ attrs_list=attrs_list, size_limit=max_entries)
# Retrieve the root entry (with all legacy ACIs) at once
root_entry = ldap.get_entry(DN(api.env.basedn), ['aci'])
except errors.NotFound:
--
2.7.4
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
