From rmeggins at redhat.com Wed Sep 3 15:18:36 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 03 Sep 2008 09:18:36 -0600 Subject: [Fedora-directory-devel] Please review: Bug 461028 - Admin Server problem with mod_nss and NSS 3.12 on F9 Message-ID: <48BEAACC.5040809@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=461028 Resolves: bug 461028 Bug Description: Admin Server problem with mod_nss and NSS 3.12 on F9 Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Admin Server must make sure to do the NSS initialization after mod_nss has done so. NSS 3.12 (introduced in Fedora 9) requires that processes must perform NSS initialization after calling fork() in each child process. Apache provides a hook to do this. I mostly just copied the init code from mod_nss, so that the init is done the same way that mod_nss does it. Without this patch, I get strange errors when starting the Admin Server with SSL enabled, such as "Password for internal slot is incorrect". With the patch, everything works fine. Platforms tested: Fedora 9 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=315652&action=diff From rmeggins at redhat.com Wed Sep 3 19:53:59 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 03 Sep 2008 13:53:59 -0600 Subject: [Fedora-directory-devel] Please review: Bug 448366 - icu 4.0 will remove the -p option from genrb Message-ID: <48BEEB57.3050709@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=448366 Resolves: bug 448366 Bug Description: icu 4.0 will remove the -p option from genrb Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: My earlier fix for this was not correct. When I removed the -p switch, I also needed to remove the argument to -p. The extra argument breaks the build on some platforms. Platforms tested: RHEL5, Fedora 9 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=315681&action=diff From pgnet.trash+fds at gmail.com Mon Sep 15 17:07:34 2008 From: pgnet.trash+fds at gmail.com (PGNet) Date: Mon, 15 Sep 2008 10:07:34 -0700 Subject: [Fedora-directory-devel] java.lang.ClassCastException @ exec of standalone fedora-idm-console on osx Message-ID: I'm trying to get fedora-idm-console up and running on OSX, uname -a Darwin mac03.pglan.com 9.4.0 Darwin Kernel Version 9.4.0: Mon Jun 9 19:36:17 PDT 2008; root:xnu-1228.5.20~1/RELEASE_PPC Power Macintosh I've upgraded to latest JDK provided by Apple, java -version java version "1.5.0_16" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_16-b06-277) Java HotSpot(TM) Client VM (build 1.5.0_16-130, mixed mode, sharing) The java upgrade causes heap-space overruns using ant; bug report here, "DirectoryScanner infinitely recurses on symlinks to parent directories" https://issues.apache.org/bugzilla/show_bug.cgi?id=45499 so I've upgraded to a src-build of Ant HEAD, ant -version Apache Ant version 1.8.0alpha compiled on September 14 2008 which cures the problem. Mozilla prereqs all build cleanly. FedoraDS project's "console", "fedora-idm-console", "directoryconsole" & "admservconsole" also build cleanly. I've installed the locally built fedora-ds & fedora-admin jars locally, ls -al ~/.fedora-idm-console/jars/ -rw-r--r-- 1 root wheel 2484780 2008-09-14 12:51 fedora-admin-1.1.2.jar -rw-r--r-- 1 root wheel 37557 2008-09-14 12:51 fedora-admin-1.1.2_en.jar lrwxr-xr-x 1 root wheel 22 2008-09-14 12:51 fedora-admin-1.1.jar -> fedora-admin-1.1.2.jar lrwxr-xr-x 1 root wheel 25 2008-09-14 12:51 fedora-admin-1.1_en.jar -> fedora-admin-1.1.2_en.jar -rw-r--r-- 1 root wheel 2469020 2008-09-14 12:38 fedora-ds-1.1.2.jar -rw-r--r-- 1 root wheel 54528 2008-09-14 12:38 fedora-ds-1.1.2_en.jar lrwxr-xr-x 1 root wheel 19 2008-09-14 12:51 fedora-ds-1.1.jar -> fedora-ds-1.1.2.jar lrwxr-xr-x 1 root wheel 22 2008-09-14 12:51 fedora-ds-1.1_en.jar -> fedora-ds-1.1.2_en.jar @ OSX shell, I launch fedora-idm-console -D 9 -f console.log and can successfully connect to FDS server running on a remote box (SLES). If, in the Fedora Management Console GUI I click through to the Servers & Applications Tab, and select the Server, I get a "Class Loader Error" dialog, "Failed to instantiate Server Object for Directory Server (fds): com.netscape.admin.dirserv.DSAdmin" @ console.log, I get, ... ERROR ServerNode.createServerInstance: could not create com.netscape.management.admserv.AdminServer at fedora-admin-1.1.jar@cn=admin-serv-auth, cn=Fedora Administration Server, cn=Server Group, cn=fds.server.pglan.com, ou=pglan.com, o=NetscapeRoot Exception: java.lang.ClassCastException: com.netscape.management.admserv.AdminServer ... ERROR ServerNode.createServerInstance: could not create com.netscape.admin.dirserv.DSAdmin at fedora-ds-1.1.jar@cn=admin-serv-auth, cn=Fedora Administration Server, cn=Server Group, cn=fds.server.pglan.com, ou=pglan.com, o=NetscapeRoot Exception: java.lang.ClassCastException: com.netscape.admin.dirserv.DSAdmin ... Per discussion in #fedora-ds, I've installed Eclipse, & created an Eclipse project for fedora-idm-console. Debugging the Eclipse-built fedora-idm-console jar, exec breaks as above. The stack @ break is, fedora_idm_console_jar [Java Application] com.netscape.management.client.console.Console at localhost:50411 Thread [main] (Suspended (exception ClassNotFoundException)) Launcher$AppClassLoader(ClassLoader).loadClass(String, boolean) line: 356 Launcher$AppClassLoader.loadClass(String, boolean) line: 280 Launcher$AppClassLoader(ClassLoader).loadClass(String) line: 251 Launcher$AppClassLoader(ClassLoader).loadClassInternal(String) line: 374 /System/Library/Frameworks/JavaVM.framework/Versions/1.5.0/Home/bin/java (Sep 14, 2008 6:19:52 PM) Where, for reference, in "ClassLoader.class", 347: } finally { if (isChildmost) { childmostCaller.remove(); if ((c != null) && name.startsWith("org.apache.") && ( name.startsWith("org.apache.crimson.") || name.startsWith("org.apache.xalan.") || name.startsWith("org.apache.xml.") || name.startsWith("org.apache.xpath.") ) ) { 356: AccessController.doPrivileged(new PrivilegedAction() { public Object run() { return System.setProperty("apple.lang.DisableCompatibilityClasspath", "true"); }}); } I'm *guessing* this is OSX-specific, but am unclear as yet. I'll further familiarize myself with Eclipse and the FDS code; in the meantime, any suggestions as to what the problem maybe, or further debug help would be great. I can provide additional needed output from Eclipse to as needed. Thanks. From nkinder at redhat.com Fri Sep 19 18:31:45 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 19 Sep 2008 11:31:45 -0700 Subject: [Fedora-directory-devel] Please Review: (462920) Make DNA plug-in auto-extend exhausted ranges Message-ID: <48D3F011.70705@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=462920 Resolves: bug 462920 Bug Description: Make DNA plug-in auto-extend exhausted ranges Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: See https://bugzilla.redhat.com/show_bug.cgi?id=462920#c1 Flag Day: no Doc impact: yes https://bugzilla.redhat.com/attachment.cgi?id=317225&action=diff -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Sep 23 01:57:39 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 22 Sep 2008 19:57:39 -0600 Subject: [Fedora-directory-devel] Please review: The Windows Sync API should have plug-in points - part 2 Message-ID: <48D84D13.70403@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=457846 Resolves: bug 457846 Bug Description: The Windows Sync API should have plug-in points - part 2 Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The modify callbacks were not sufficient to handle all cases. We need to have access to the DS entry. This changes the API to add the DS entry to the modify callbacks. I also had to change the handling of the userAccountControl - it cannot just overwrite the value, it must set the appropriate bit in the bit mask. Platforms tested: RHEL5 Flag Day: no Doc impact: yes - winsync api docs https://bugzilla.redhat.com/attachment.cgi?id=317429&action=diff From rmeggins at redhat.com Wed Sep 24 19:05:23 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 24 Sep 2008 13:05:23 -0600 Subject: [Fedora-directory-devel] Please review:Bug 457846 - The Windows Sync API should have plug-in points - part 3 Message-ID: <48DA8F73.1000906@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=457846 Resolves: bug 457846 Bug Description: The Windows Sync API should have plug-in points - part 3 Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: It turns out I was a little bit too aggressive in removing memory leaks, and broke outbound modify processing. I should not have freed new_dn since it is used elsewhere. There was an earlier memory leak related to the way new_dn was initialized, but that was fixed elsewhere. The real fix is this: - slapi_sdn_free(&new_dn); The other fixes are lots of log messages I added to help debug this problem. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=317614&action=diff From minfrin at sharp.fm Thu Sep 25 15:53:05 2008 From: minfrin at sharp.fm (Graham Leggett) Date: Thu, 25 Sep 2008 17:53:05 +0200 Subject: [Fedora-directory-devel] Administrative limit exceeded with no results returned Message-ID: <48DBB3E1.60802@sharp.fm> Hi all, I am having some sudden bizarre behaviour from fedora-ds-1.1.2-1.fc6. The following query, logged in as a specific user created for our mailserver, has suddenly since this morning returned the error "Administrative limit exceeded": '(&(associatedDomain=imausa.net)(!(associatedDomain=rachel.example.com)))' When the exact same query is made using the Directory Manager, it returns zero records returned, which is correct (no entries exist in the directory called imausa.net). According to the documentation for the error message "Administrative limit exceeded", this error will be thrown when more than by default 1000 rows are returned during a query by a user other than the Directory Manager. When I last looked though, zero records was well less than 1000, and I am completely stumped. Trying a domain that is hosted in this server, the query returns one single record, as expected, as the Directory Manager user. Trying the same query as the specific user created for our mailserver, we again get "Administrative limit exceeded". Has anybody encountered and error like this before? In answer to "what's changed recently", the number of records in the LDAP server was increased from just over 1000 records to around 7000 records, although I cannot be sure if this is related. The records have nothing whatsoever to do with the objects being queried by our mailserver in this case. Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3287 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Sep 25 16:10:52 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 25 Sep 2008 10:10:52 -0600 Subject: [Fedora-directory-devel] Administrative limit exceeded with no results returned In-Reply-To: <48DBB3E1.60802@sharp.fm> References: <48DBB3E1.60802@sharp.fm> Message-ID: <48DBB80C.7000308@redhat.com> Graham Leggett wrote: > Hi all, > > I am having some sudden bizarre behaviour from fedora-ds-1.1.2-1.fc6. > > The following query, logged in as a specific user created for our > mailserver, has suddenly since this morning returned the error > "Administrative limit exceeded": > > '(&(associatedDomain=imausa.net)(!(associatedDomain=rachel.example.com)))' > > > When the exact same query is made using the Directory Manager, it > returns zero records returned, which is correct (no entries exist in > the directory called imausa.net). > > According to the documentation for the error message "Administrative > limit exceeded", this error will be thrown when more than by default > 1000 rows are returned during a query by a user other than the > Directory Manager. Not exactly. You are most likely hitting the look through limit. Is associatedDomain indexed for equality? Are there more than 1000 entries that have the associatedDomain attribute? In order to satisfy the NOT filter (!) the database has to look through all of the records in the database. See http://tinyurl.com/5yjk6m Directory Manager is immune to look through limits and other such limits. That's why the search succeeds as Directory Manager. You can set specific look through limits and other limits for individual or groups of users - see http://tinyurl.com/2sy8bl > > When I last looked though, zero records was well less than 1000, and I > am completely stumped. > > Trying a domain that is hosted in this server, the query returns one > single record, as expected, as the Directory Manager user. > > Trying the same query as the specific user created for our mailserver, > we again get "Administrative limit exceeded". > > Has anybody encountered and error like this before? > > In answer to "what's changed recently", the number of records in the > LDAP server was increased from just over 1000 records to around 7000 > records, although I cannot be sure if this is related. That is most definitely the culprit. > The records have nothing whatsoever to do with the objects being > queried by our mailserver in this case. It doesn't matter, since they exist in the same database and have to be "looked through". > > Regards, > Graham > -- > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Thu Sep 25 16:32:04 2008 From: minfrin at sharp.fm (Graham Leggett) Date: Thu, 25 Sep 2008 18:32:04 +0200 Subject: [Fedora-directory-devel] Administrative limit exceeded with no results returned In-Reply-To: <48DBB80C.7000308@redhat.com> References: <48DBB3E1.60802@sharp.fm> <48DBB80C.7000308@redhat.com> Message-ID: <48DBBD04.2090406@sharp.fm> Rich Megginson wrote: > Not exactly. You are most likely hitting the look through limit. Is > associatedDomain indexed for equality? Are there more than 1000 entries > that have the associatedDomain attribute? In order to satisfy the NOT > filter (!) the database has to look through all of the records in the > database. The total number of objects containing associatedDomain is 50 objects, and the definition for associatedDomain is the default as found in the pilot schema like so: /etc/dirsrv/slapd-chandler/schema/28pilot.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 1274' ) How does the directory handle multiple queries in an "and"? I would have thought that (&(A)(B)) would not bother evaluating B if A evaluated to zero records (as is the case in the first query), and in theory calculating the NOT in the second half of the query should have in theory have searched the results left over after evaluating A (ie just one record in the second query). Or have I got this wrong (or backwards)? Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3287 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Sep 25 16:45:20 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 25 Sep 2008 10:45:20 -0600 Subject: [Fedora-directory-devel] Administrative limit exceeded with no results returned In-Reply-To: <48DBBD04.2090406@sharp.fm> References: <48DBB3E1.60802@sharp.fm> <48DBB80C.7000308@redhat.com> <48DBBD04.2090406@sharp.fm> Message-ID: <48DBC020.4000504@redhat.com> Graham Leggett wrote: > Rich Megginson wrote: > >> Not exactly. You are most likely hitting the look through limit. Is >> associatedDomain indexed for equality? Are there more than 1000 >> entries that have the associatedDomain attribute? In order to >> satisfy the NOT filter (!) the database has to look through all of >> the records in the database. > > The total number of objects containing associatedDomain is 50 objects, > and the definition for associatedDomain is the default as found in the > pilot schema like so: > > /etc/dirsrv/slapd-chandler/schema/28pilot.ldif:attributeTypes: ( > 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' DESC 'Standard LDAP > attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC > 1274' ) > > How does the directory handle multiple queries in an "and"? I would > have thought that (&(A)(B)) would not bother evaluating B if A > evaluated to zero records (as is the case in the first query), and in > theory calculating the NOT in the second half of the query should have > in theory have searched the results left over after evaluating A (ie > just one record in the second query). > > Or have I got this wrong (or backwards)? I think the problem is that having !(associatedDomain=somevalue) does not imply (associatedDomain=*). Do you want to search for entries that have associatedDomain and !(associatedDomain=somevalue)? Try a search filter like '(&(associatedDomain=*)(associatedDomain=imausa.net)(!(associatedDomain=rachel.example.com)))' That should first find only the entries that have the associatedDomain attribute. If that doesn't work, try a sub-filter like (&(associatedDomain=*)(&(associatedDomain=imausa.net)(!(associatedDomain=rachel.example.com)))) Otherwise, I'm not sure - not filters are problematic in this manner. > > Regards, > Graham > -- > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Thu Sep 25 17:00:41 2008 From: minfrin at sharp.fm (Graham Leggett) Date: Thu, 25 Sep 2008 19:00:41 +0200 Subject: [Fedora-directory-devel] Administrative limit exceeded with no results returned In-Reply-To: <48DBC020.4000504@redhat.com> References: <48DBB3E1.60802@sharp.fm> <48DBB80C.7000308@redhat.com> <48DBBD04.2090406@sharp.fm> <48DBC020.4000504@redhat.com> Message-ID: <48DBC3B9.3070304@sharp.fm> Rich Megginson wrote: > I think the problem is that having !(associatedDomain=somevalue) does > not imply (associatedDomain=*). Do you want to search for entries that > have associatedDomain and !(associatedDomain=somevalue)? > Try a search filter like > '(&(associatedDomain=*)(associatedDomain=imausa.net)(!(associatedDomain=rachel.example.com)))' The filter I have is testing whether a specific known domain exists in the directory, with the extra proviso that the name of the domain is not allowed to be the name of the machine itself (thus the not part). So it should be (&(associatedDomain=example.com)(!(associatedDomain=machine.example.com))). Am I correct in understanding that the first part of your query above (associatedDomain=*) will limit the results within which to search for the rest of the query? > That should first find only the entries that have the associatedDomain > attribute. > If that doesn't work, try a sub-filter like > (&(associatedDomain=*)(&(associatedDomain=imausa.net)(!(associatedDomain=rachel.example.com)))) > > Otherwise, I'm not sure - not filters are problematic in this manner. Hmmm... I have a second query, which could be problematic, that looks like this: (&(|(mail=%s)(mailAlternateAddress=%s))(!(mailHost=$myhostname))) The idea is that if the mail is known to the LDAP server (and thus the mail cluster), but is not hosted on this local box, the mail will be delivered to the box in the cluster that does host the mail. The trouble is, just doing a (!(mailHost=$myhostname)) is likely to potentially return a lot of records, however the and part before it should isolate the exact user first, thus removing the need to query the entire directory to work out the not. Does the directory do any kind of query optimisation while evaluating a search query? Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3287 bytes Desc: S/MIME Cryptographic Signature URL: From ando at sys-net.it Thu Sep 25 17:06:02 2008 From: ando at sys-net.it (Pierangelo Masarati) Date: Thu, 25 Sep 2008 19:06:02 +0200 Subject: [Fedora-directory-devel] Administrative limit exceeded with no results returned In-Reply-To: <48DBC3B9.3070304@sharp.fm> References: <48DBB3E1.60802@sharp.fm> <48DBB80C.7000308@redhat.com> <48DBBD04.2090406@sharp.fm> <48DBC020.4000504@redhat.com> <48DBC3B9.3070304@sharp.fm> Message-ID: <48DBC4FA.9090800@sys-net.it> Graham Leggett wrote: > Rich Megginson wrote: > >> I think the problem is that having !(associatedDomain=somevalue) does >> not imply (associatedDomain=*). Do you want to search for entries >> that have associatedDomain and !(associatedDomain=somevalue)? >> Try a search filter like >> '(&(associatedDomain=*)(associatedDomain=imausa.net)(!(associatedDomain=rachel.example.com)))' > > > The filter I have is testing whether a specific known domain exists in > the directory, with the extra proviso that the name of the domain is not > allowed to be the name of the machine itself (thus the not part). > > So it should be > (&(associatedDomain=example.com)(!(associatedDomain=machine.example.com))). > > Am I correct in understanding that the first part of your query above > (associatedDomain=*) will limit the results within which to search for > the rest of the query? Apart from implementation issues, a filter like "(!(attr=value))" matches all entries whose values of "attr" differ from "value", *and* all entries without "attr" at all. That's why Rich's suggestion should work. In fact, "(attr=*)" makes use of the "presence" index, while "(!(attr=value))" makes use of the "equality" index. If the "look through" limit applies to selected candidates, if you have presence indexes in place for "attr" but no equality indexes, the difference between your query and the one Rich suggested is exactly *all* - entries with "attr", which could really make the difference between 7000 and 50. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando at sys-net.it ----------------------------------- From xili at soleocommunications.com Tue Sep 30 19:38:47 2008 From: xili at soleocommunications.com (Xi Sanderson) Date: Tue, 30 Sep 2008 15:38:47 -0400 Subject: [Fedora-directory-devel] ldapsearch with size limit (-z) doesn't work with OR filter and range search Message-ID: <48E28047.2040104@soleocommunications.com> Hi, I am having a problem with the following command: ldapsearch -z 10 ... (&(attr1=val1)(|(attr2=val21)(attr2=val22))(attr3>=val3)) The command returns successfully with 0 entry. I know there are entries in my database matching the search criteria. And if I remove "-z 10" option, all the entries matching the search criteria return. More interestingly, if I switch the order of the search filter: ldapsearch -z 10 ... (&(attr1=val1)(attr3>=val3)(|(attr2=val21)(attr2=val22))) It returns 10 entries. After looking at the fedora-ds-base code, I found the following: Range search ">=" or "<=" calls index_range_read() function, which has the following code: if (!is_and) { slapi_pblock_get(pb, SLAPI_SEARCH_SIZELIMIT, &sizelimit); } When filter is not AND, client side size limit is used to filter candidates. I don't understand why client side size limit is used on server side to filter the candidates in the first place. Now "is_and" is set in list_candidates() every time when it is called and it is called for AND and OR filters. So if I have a filter like this: (&(attr1=val1)(|(attr2=val21)(attr2=val22))(attr3>=val3)) Since OR "|" is after AND "&", "is_and" is false when index_range_read() is called, size limit is used and if the candidates within the size limit don't satisfy the whole search criteria, no record is returned from the search. The code doesn't seem to understand OR is only for "(|(attr2=val21)(attr2=val22))" part of the filter. However, if I switch the filter order to: (&(attr1=val1)(attr3>=val3)(|(attr2=val21)(attr2=val22))) Now "is_and" is true when index_range_read() is called, thus no size limit is used and the records satisfy the search criteria are returned. Has anybody experienced same problem or know if there is an existing bug for this problem? Thanks, Xi From rmeggins at redhat.com Tue Sep 30 20:13:50 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 30 Sep 2008 14:13:50 -0600 Subject: [Fedora-directory-devel] ldapsearch with size limit (-z) doesn't work with OR filter and range search In-Reply-To: <48E28047.2040104@soleocommunications.com> References: <48E28047.2040104@soleocommunications.com> Message-ID: <48E2887E.30104@redhat.com> Xi Sanderson wrote: > Hi, > > I am having a problem with the following command: > > ldapsearch -z 10 ... > (&(attr1=val1)(|(attr2=val21)(attr2=val22))(attr3>=val3)) > > The command returns successfully with 0 entry. I know there are > entries in my database matching the search criteria. And if I remove > "-z 10" option, all the entries matching the search criteria return. > More interestingly, if I switch the order of the search filter: > > ldapsearch -z 10 ... > (&(attr1=val1)(attr3>=val3)(|(attr2=val21)(attr2=val22))) > > It returns 10 entries. After looking at the fedora-ds-base code, I > found the following: > > Range search ">=" or "<=" calls index_range_read() function, which has > the following code: > > if (!is_and) > { > slapi_pblock_get(pb, SLAPI_SEARCH_SIZELIMIT, &sizelimit); > } > > When filter is not AND, client side size limit is used to filter > candidates. I don't understand why client side size limit is used on > server side to filter the candidates in the first place. > > Now "is_and" is set in list_candidates() every time when it is called > and it is called for AND and OR filters. So if I have a filter like this: > > (&(attr1=val1)(|(attr2=val21)(attr2=val22))(attr3>=val3)) > > Since OR "|" is after AND "&", "is_and" is false when > index_range_read() is called, size limit is used and if the candidates > within the size limit don't satisfy the whole search criteria, no > record is returned from the search. The code doesn't seem to > understand OR is only for "(|(attr2=val21)(attr2=val22))" part of the > filter. > > However, if I switch the filter order to: > > (&(attr1=val1)(attr3>=val3)(|(attr2=val21)(attr2=val22))) > > Now "is_and" is true when index_range_read() is called, thus no size > limit is used and the records satisfy the search criteria are returned. > > Has anybody experienced same problem or know if there is an existing > bug for this problem? Sounds like a bug. Please file one at bugzilla.redhat.com against Fedora Directory Server. > > Thanks, > > Xi > > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: