ldapsearch Size limit exceeded with paging and certificate

Question

I'm trying to execute a paginated ldapsearch to an LDAPs with a certificate:

export LDAPTLS_CACERT=/home/test/ssl.pem
ldapsearch -x -H ldaps://test.test.com:636 -b "dc=test,dc=com" -E pr=100/noprompt

The above commands after 500 results, ldapsearch return Size limit exceeded:

search: 6
result: 0 Success
control: 1.2.840.113556.1.4.319 false MA0CAQAECOYFAAAAAAAA
pagedresults: cookie=5gUAAAAAAAA=
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# with pagedResults control: size=100
#

# search result
search: 7
result: 4 Size limit exceeded

# numResponses: 506
# numEntries: 500

But when I pass not only the certificate but also the username/password the things works perfectly:

export LDAPTLS_CACERT=/home/test/ssl.pem    
ldapsearch -x -H ldaps://test.test.com:636 -b "dc=test,dc=com" \ 
-E pr=100/noprompt -D "cn=admin,dc=test,dc=com" -w myamazingpassword

The above commands after 1006 results, ldapsearch returns Success:

# search result
search: 12
result: 0 Success
control: 1.2.840.113556.1.4.319 false MAUCAQAEAA==
pagedresults: cookie=

# numResponses: 1017
# numEntries: 1006

Why is this happening? Why I'm not be able to perform paginated search on ldap without the username/password?

Answer 1

Most servers enforce different size limits for different users (admin vs regular user vs anonymous). When you run plain LDAPS search, there is no LDAP authentication. The server is probably limiting the number of entries to 500 for anonymous users.

If you want to authenticate the client at LDAP level using the certificate, you should request SASL EXTERNAL authentication, with the option -Y EXTERNAL.