0

I'm doing a ldap search by an unindexed key like email as follows:

$dn = 'ou=users,ou=y,o=x';
$filters = '([email protected])';
$just = array ('id');
$sr = ldap_list ($ds_id, $dn, $filters, $just);

and the result is ok if the entry is in the < SERVER_RETURN_LIMIT (=1000 in my case) and is empty if the entry is over the 1k limit. If I do my search by an index parameter like the user's id, the result is always as expected.

What I would like to know if there is any way I can get the expected result when I do a search by an unindexed key no matter how many entries I have and no matter on which position the entry I want to retrieve sits.

I also always get this warning whenever I do a search, no matter the type of key:

Warning: ldap_list() [function.ldap-list]: Partial search results returned: Adminlimit exceeded in...

The warning is displayed if the search is successful also, and the result is always 1 entry. I'm not looking to return more than 1 entry / search.

Hope you folks can shed some light on this. TA!

Improve this question

2 Answers 2

Reset to default
1

The 'administrative limit exceeded' means the LDAP client has exceeded some limit set by server adminstrators - in many LDAP servers this limit is known as the lookthrough limit. Size limit exceeded means the search parameters matched either 1) a number of entries greater than the client-requested size limit or 2) a number of entries greater than the server-imposed size limit. Admin limit exceeded and size limit exceeded are different concepts entirely.

LDAP clients should never, ever set size limit to zero - this effectively tells the server to return all entries to the client that match the search parameters. Not only could this overwhelm the server and adversely impact other clients, but the client may not be able to handle the number of entries returned. Clients should always provide a non-zero (positive) size limit and time limit to searches. For more information, see "LDAP: Programming Practices". Properly configured servers will restrict the number of entries returned to the client anyway, and the client-requested size limit (and time limit) cannot override the server-imposed limits, so setting the size limit (or time limit) to zero may not give the result you want anyway. Modern, professional-quality directory servers can even restrict the number of entries returned on time spent on a search by the root DN.

LDAP clients must never execute unindexed searches without making arrangements with the server administrators because unindexed searches can adversely impact server performance and cause poor performance to otherwise unsuspecting LDAP clients. Properly configured servers will disallow unindexed searches to some or all clients, though admins may approve unindexed searches in special cases where a reasonable business case justification can be provided.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Can't get more specific than that. For my case it was never a problem of size limit being exceeded. I also didn't know about the lookthrough limit or that it is a bad practice or even not possible to execute unindexed searches. Have some things to revise now. Thanks for such a clear & well put answer!
0

Some suggestions:

  • Add a parameter (sizelimit) to tell LDAP not to limit the number of outputs.

    $sr = ldap_list ($ds_id, $dn, $filters, $just, 0);

  • Use a search condition including dc fields. I mean:

    $dn = 'ou=users,ou=y,o=x,dc=company,dc=es';

Improve this answer

1 Comment

The sizelimit parameter doesn't make a difference mainly because I'm nowhere near the number of outputs (the limit is ie. 1000 and I'm only looking to return 1 entry). The other suggestion I don't fully understand, my structure is: o=x { ou=y { ou=users; ou=objects; ...} } Thanks for your reply.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.