[Freeipa-devel] [PATCH] 248 Raise proper exception when LDAP limits are exceeded

Rob Crittenden rcritten at redhat.com
Tue Apr 17 20:34:15 UTC 2012 

Martin Kosek wrote:
> On Mon, 2012-04-16 at 13:51 -0400, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Jan Cholasta wrote:
>>>> On 10.4.2012 10:57, Martin Kosek wrote:
>>>>> Few test hints are attached to the ticket.
>>>>>
>>>>> ---
>>>>>
>>>>> ldap2 plugin returns NotFound error for find_entries/get_entry
>>>>> queries when the server did not manage to return an entry
>>>>> due to time limits. This may be confusing for user when the
>>>>> entry he searches actually exists.
>>>>>
>>>>> This patch fixes the behavior in ldap2 plugin to return
>>>>> LimitsExceeded exception instead. This way, user would know
>>>>> that his time/size limits are set too low and can amend them to
>>>>> get correct results.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/2606
>>>>>
>>>>
>>>> ACK.
>>>>
>>>> Honza
>>>>
>>>
>>> Before pushing I'd like to look at this more. truncated is supposed to
>>> indicate a limits problem. I want to see if the caller should be
>>> responsible for returning a limits error instead.
>>>
>>> rob
>>
>> This is what I had in mind.
>>
>> diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
>> index 61341b0..447e738 100644
>> --- a/ipaserver/plugins/ldap2.py
>> +++ b/ipaserver/plugins/ldap2.py
>> @@ -754,7 +754,7 @@ class ldap2(CrudBackend, Encoder):
>>            except _ldap.LDAPError, e:
>>                _handle_errors(e)
>>
>> -        if not res:
>> +        if not res and not truncated:
>>                raise errors.NotFound(reason='no such entry')
>>
>>            if attrs_list and ('memberindirect' in attrs_list or '*' in
>> attrs_list)
>> :
>> @@ -801,7 +801,10 @@ class ldap2(CrudBackend, Encoder):
>>            if len(entries)>  1:
>>                raise errors.SingleMatchExpected(found=len(entries))
>>            else:
>> -            return entries[0]
>> +            if truncated:
>> +                raise errors.LimitsExceeded()
>> +            else:
>> +                return entries[0]
>>
>>        def get_entry(self, dn, attrs_list=None, time_limit=None,
>>                      size_limit=None, normalize=True):
>> @@ -811,10 +814,13 @@ class ldap2(CrudBackend, Encoder):
>>            Keyword arguments:
>>            attrs_list - list of attributes to return, all if None
>> (default None)
>>            """
>> -        return self.find_entries(
>> +        (entry, truncated) = self.find_entries(
>>                None, attrs_list, dn, self.SCOPE_BASE, time_limit=time_limit,
>>                size_limit=size_limit, normalize=normalize
>> -        )[0][0]
>> +        )
>> +        if truncated:
>> +            raise errors.LimitsExceeded()
>> +        return entry[0]
>>
>>        config_defaults = {'ipasearchtimelimit': [2],
>> 'ipasearchrecordslimit': [0]}
>>        def get_ipa_config(self, attrs_list=None):
>>
>
> Thanks for the patch. I had similar patch planned in my mind.
>
> We just need to be more careful, this patch will change an assumption
> that ldap2.find_entries will always either raise NotFound error or
> return at least one result.
>
> I checked all ldap2.find_entries calls and did few fixes, it should be
> OK now. No regression found in unit tests. The updated patch is
> attached.
>
> Martin

ACK, pushed to master and ipa-2-2

rob

More information about the Freeipa-devel mailing list