[Freeipa-devel] [PATCH] 248 Raise proper exception when LDAP limits are exceeded
Martin Kosek
mkosek at redhat.com
Tue Apr 17 08:04:46 UTC 2012
On Mon, 2012-04-16 at 13:51 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Jan Cholasta wrote:
> >> On 10.4.2012 10:57, Martin Kosek wrote:
> >>> Few test hints are attached to the ticket.
> >>>
> >>> ---
> >>>
> >>> ldap2 plugin returns NotFound error for find_entries/get_entry
> >>> queries when the server did not manage to return an entry
> >>> due to time limits. This may be confusing for user when the
> >>> entry he searches actually exists.
> >>>
> >>> This patch fixes the behavior in ldap2 plugin to return
> >>> LimitsExceeded exception instead. This way, user would know
> >>> that his time/size limits are set too low and can amend them to
> >>> get correct results.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/2606
> >>>
> >>
> >> ACK.
> >>
> >> Honza
> >>
> >
> > Before pushing I'd like to look at this more. truncated is supposed to
> > indicate a limits problem. I want to see if the caller should be
> > responsible for returning a limits error instead.
> >
> > rob
>
> This is what I had in mind.
>
> diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
> index 61341b0..447e738 100644
> --- a/ipaserver/plugins/ldap2.py
> +++ b/ipaserver/plugins/ldap2.py
> @@ -754,7 +754,7 @@ class ldap2(CrudBackend, Encoder):
> except _ldap.LDAPError, e:
> _handle_errors(e)
>
> - if not res:
> + if not res and not truncated:
> raise errors.NotFound(reason='no such entry')
>
> if attrs_list and ('memberindirect' in attrs_list or '*' in
> attrs_list)
> :
> @@ -801,7 +801,10 @@ class ldap2(CrudBackend, Encoder):
> if len(entries) > 1:
> raise errors.SingleMatchExpected(found=len(entries))
> else:
> - return entries[0]
> + if truncated:
> + raise errors.LimitsExceeded()
> + else:
> + return entries[0]
>
> def get_entry(self, dn, attrs_list=None, time_limit=None,
> size_limit=None, normalize=True):
> @@ -811,10 +814,13 @@ class ldap2(CrudBackend, Encoder):
> Keyword arguments:
> attrs_list - list of attributes to return, all if None
> (default None)
> """
> - return self.find_entries(
> + (entry, truncated) = self.find_entries(
> None, attrs_list, dn, self.SCOPE_BASE, time_limit=time_limit,
> size_limit=size_limit, normalize=normalize
> - )[0][0]
> + )
> + if truncated:
> + raise errors.LimitsExceeded()
> + return entry[0]
>
> config_defaults = {'ipasearchtimelimit': [2],
> 'ipasearchrecordslimit': [0]}
> def get_ipa_config(self, attrs_list=None):
>
Thanks for the patch. I had similar patch planned in my mind.
We just need to be more careful, this patch will change an assumption
that ldap2.find_entries will always either raise NotFound error or
return at least one result.
I checked all ldap2.find_entries calls and did few fixes, it should be
OK now. No regression found in unit tests. The updated patch is
attached.
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-248-2-raise-proper-exception-when-ldap-limits-are-exceeded.patch
Type: text/x-patch
Size: 4434 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120417/e31c2c16/attachment.bin>
More information about the Freeipa-devel
mailing list