ldapsearch Size limit exceeded with paging and certificate
Most servers enforce different size limits for different users (admin vs regular user vs anonymous). When you run plain LDAPS search, there is no LDAP authentication. The server is probably limiting the number of entries to 500 for anonymous users.
If you want to authenticate the client at LDAP level using the certificate, you should request SASL EXTERNAL authentication, with the option -Y EXTERNAL
.
Christos Papoulas
Currently, I am working as Software developer at Programize LLC. I have a master degree from Computer Science Dept. Univ. of Crete at Distributed, parallel and information systems. I received my bachelor degree from Computer Science Dept. Univ. of Crete in 2012. I'm interested in Cloud Computing, Distributed Systems, Programming Languages, Linux Systems, Back-end developing using state of the art technologies.
Updated on June 04, 2022Comments
-
Christos Papoulas almost 2 years
I'm trying to execute a paginated ldapsearch to an LDAPs with a certificate:
export LDAPTLS_CACERT=/home/test/ssl.pem ldapsearch -x -H ldaps://test.test.com:636 -b "dc=test,dc=com" -E pr=100/noprompt
The above commands after 500 results, ldapsearch return Size limit exceeded:
search: 6 result: 0 Success control: 1.2.840.113556.1.4.319 false MA0CAQAECOYFAAAAAAAA pagedresults: cookie=5gUAAAAAAAA= # extended LDIF # # LDAPv3 # base <dc=test,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # with pagedResults control: size=100 # # search result search: 7 result: 4 Size limit exceeded # numResponses: 506 # numEntries: 500
But when I pass not only the certificate but also the username/password the things works perfectly:
export LDAPTLS_CACERT=/home/test/ssl.pem ldapsearch -x -H ldaps://test.test.com:636 -b "dc=test,dc=com" \ -E pr=100/noprompt -D "cn=admin,dc=test,dc=com" -w myamazingpassword
The above commands after 1006 results, ldapsearch returns Success:
# search result search: 12 result: 0 Success control: 1.2.840.113556.1.4.319 false MAUCAQAEAA== pagedresults: cookie= # numResponses: 1017 # numEntries: 1006
Why is this happening? Why I'm not be able to perform paginated search on ldap without the username/password?