Reputation: 117
php ldap_search/list returns null when searching by an unindexed parameter and the entry exceeds the server limit
I'm doing a ldap search by an unindexed key like email as follows:
$dn = 'ou=users,ou=y,o=x';
$filters = '([email protected])';
$just = array ('id');
$sr = ldap_list ($ds_id, $dn, $filters, $just);
and the result is ok if the entry is in the < SERVER_RETURN_LIMIT (=1000 in my case) and is empty if the entry is over the 1k limit. If I do my search by an index parameter like the user's id, the result is always as expected.
What I would like to know if there is any way I can get the expected result when I do a search by an unindexed key no matter how many entries I have and no matter on which position the entry I want to retrieve sits.
I also always get this warning whenever I do a search, no matter the type of key:
Warning: ldap_list() [function.ldap-list]: Partial search results returned: Adminlimit exceeded in...
The warning is displayed if the search is successful also, and the result is always 1 entry. I'm not looking to return more than 1 entry / search.
Hope you folks can shed some light on this. TA!
Upvotes: 0
Views: 2255
Answers (2)
Reputation: 11132
The 'administrative limit exceeded' means the LDAP client has exceeded some limit set by server adminstrators - in many LDAP servers this limit is known as the lookthrough limit. Size limit exceeded means the search parameters matched either 1) a number of entries greater than the client-requested size limit or 2) a number of entries greater than the server-imposed size limit. Admin limit exceeded and size limit exceeded are different concepts entirely.
LDAP clients should never, ever set size limit to zero - this effectively tells the server to return all entries to the client that match the search parameters. Not only could this overwhelm the server and adversely impact other clients, but the client may not be able to handle the number of entries returned. Clients should always provide a non-zero (positive) size limit and time limit to searches. For more information, see "LDAP: Programming Practices". Properly configured servers will restrict the number of entries returned to the client anyway, and the client-requested size limit (and time limit) cannot override the server-imposed limits, so setting the size limit (or time limit) to zero may not give the result you want anyway. Modern, professional-quality directory servers can even restrict the number of entries returned on time spent on a search by the root DN.
LDAP clients must never execute unindexed searches without making arrangements with the server administrators because unindexed searches can adversely impact server performance and cause poor performance to otherwise unsuspecting LDAP clients. Properly configured servers will disallow unindexed searches to some or all clients, though admins may approve unindexed searches in special cases where a reasonable business case justification can be provided.
Upvotes: 1
Reputation: 7763
Some suggestions:
Add a parameter (sizelimit) to tell LDAP not to limit the number of outputs.
$sr = ldap_list ($ds_id, $dn, $filters, $just, 0);
Use a search condition including dc fields. I mean:
$dn = 'ou=users,ou=y,o=x,dc=company,dc=es';
Upvotes: 0
Related Questions
- PHP LDAP Search Fails Every Time
- Warning: ldap_search(): Search: Bad search filter
- php ldap_search(): Search: Operations error
- PHP LDAP unable to search for user
- PHP ldap_search size limit exceeded
- PHP ldap_search suppress warnings limit reached
- searching in LDAP via PHP
- How do I correctly use ldap_search() in PHP?
- ldap search filter is not working
- LDAP search error