<div dir="ltr">Oops.. replied without the list.<br><div class="gmail_extra"><br><div class="gmail_quote"><div dir="ltr"><div><div>Reason I said -1 is because users might be confused if they enter `ipa config-mod --searchtimelimit=0`, and both `ipa user-show` and the webui show -1 instead of 0. I wonder if -1 makes more sense in that regard? Thoughts? Does "<= 0 is unlimited" make more sense?<br></div></div></div><div dir="ltr"> <br>Thanks,<br><br>Gabe<div><div class="h5"><br><div><div><div><div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 10, 2015 at 8:15 AM, Jan Cholasta <span dir="ltr"><<a href="mailto:jcholast@redhat.com" target="_blank">jcholast@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I'm not sure about that, I think it should still say 0, because that's what we want to use as the unlimited value. If you insist on including -1 in the docs, maybe we can say "<= 0 is unlimited"?<span><br> <br> On 10.9.2015 16:08, Gabe Alford wrote:<br> </span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span> Makes sense. I also changed the doc string to reflect -1 as well.<br> Updated patch attached.<br> <br> Thanks,<br> <br> Gabe<br> <br> On Thu, Sep 10, 2015 at 1:41 AM, Jan Cholasta <<a href="mailto:jcholast@redhat.com" target="_blank">jcholast@redhat.com</a><br></span><span> <mailto:<a href="mailto:jcholast@redhat.com" target="_blank">jcholast@redhat.com</a>>> wrote:<br> <br> On 4.9.2015 14:43, Gabe Alford wrote:<br> <br> Bump for review.<br> <br> On Wed, Aug 12, 2015 at 9:32 AM, Gabe Alford<br> <<a href="mailto:redhatrises@gmail.com" target="_blank">redhatrises@gmail.com</a> <mailto:<a href="mailto:redhatrises@gmail.com" target="_blank">redhatrises@gmail.com</a>><br></span> <mailto:<a href="mailto:redhatrises@gmail.com" target="_blank">redhatrises@gmail.com</a> <mailto:<a href="mailto:redhatrises@gmail.com" target="_blank">redhatrises@gmail.com</a>>>><span><br> wrote:<br> <br> On Tue, Aug 11, 2015 at 1:34 AM, Jan Cholasta<br> <<a href="mailto:jcholast@redhat.com" target="_blank">jcholast@redhat.com</a> <mailto:<a href="mailto:jcholast@redhat.com" target="_blank">jcholast@redhat.com</a>><br></span> <mailto:<a href="mailto:jcholast@redhat.com" target="_blank">jcholast@redhat.com</a> <mailto:<a href="mailto:jcholast@redhat.com" target="_blank">jcholast@redhat.com</a>>>><div><div><br> wrote:<br> <br> On 6.8.2015 21:43, Gabe Alford wrote:<br> <br> Hello,<br> <br> Updated patch attached.<br> <br> - Time limit is -1 for unlimited. I found this<br> <a href="https://www.redhat.com/archives/freeipa-devel/2011-January/msg00330.html" rel="noreferrer" target="_blank">https://www.redhat.com/archives/freeipa-devel/2011-January/msg00330.html</a><br> in reference to keeping the time limit as -1 for<br> unlimited.<br> <br> <br> This patch does two conflicting things: it coerces time<br> limit of<br> 0 to -1 and at the same time prohibits the user to use<br> 0 for<br> time limit. We should do just one of these and IMHO it<br> should be<br> the coercion of 0 to -1.<br> <br> Sure enough, testing time limit at 0 did not work for<br> unlimited as well<br> as appeared to have negative effects on IPA.<br> <br> <br> This is because the time limit read from ipa config is not<br> converted to int in ldap2.find_entries(), so the<br> coercion does<br> not work. Fix this and 0 will work just fine.<br> <br> Also, I believe that<br> <a href="http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s" rel="noreferrer" target="_blank">http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s</a><br> specifies unlimited for time limit as -1. (Please<br> correct me<br> if I am wrong.)<br> <br> <br> python-ldap is layers below our API and should not<br> determine<br> what we use for unlimited time limit. I would prefer if<br> we were<br> self-consistent and use 0 for both time limit and size<br> limit.<br> <br> <br> A misunderstanding on my part as I thought it was higher up<br> in the<br> API for some reason. Updated patch attached.<br> <br> <br> Thanks, this is better, but it turns out I was wrong about coercing<br> -1 to 0 in config-mod: in a topology with different versions of IPA<br> servers, setting the limits in LDAP to 0 on a newer server with your<br> patch will break older servers without your patch:<br> <br> [user@old]$ ipa user-find<br> --------------<br> 1 user matched<br> --------------<br> User login: admin<br> Last name: Administrator<br> Home directory: /home/admin<br> Login shell: /bin/bash<br> UID: 1364800000<br> GID: 1364800000<br> Account disabled: False<br> Password: True<br> Kerberos keys available: True<br> ----------------------------<br> Number of entries returned 1<br> ----------------------------<br> <br> [user@new]$ ipa config-mod --searchtimelimit=0<br> --searchrecordslimit=0<br> ...<br> <br> [user@old]$ ipa user-find<br> ---------------<br> 0 users matched<br> ---------------<br> ----------------------------<br> Number of entries returned 0<br> ----------------------------<br> <br> To fix this, we actually need to do the opposite and store -1 in<br> LDAP when 0 is specified in config-mod options.<br> <br> Honza<br> <br> --<br> Jan Cholasta<br> <br> <br> </div></div></blockquote><span><font color="#888888"> <br> <br> -- <br> Jan Cholasta<br> </font></span></blockquote></div><br></div></div></div></div></div></div></div></div></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> </blockquote></div><br></div></div>