Univention Bugzilla – Bug 42533
Show a warning in UMC instead of traceback (udm/query) when ldap limits are met in object search
Last modified: 2017-06-15 17:57:57 CEST
(Initially for UCS 3.X) A traceback is shown on 'LDAP_ConnectionError: Administrative limit exceeded' (See traceback below). UMC should instead show a warning message. See also Bug 29500 and Bug 29670 (for 'Size limit exceeded') This happens when the user(or its group) meets the defined limits in LDAP. In this particular case the 'size.unchecked' because one of the attributes in the "Default properties" is not in the defined LDAP indices in a directory with millions of objects. Here the management-console-module-udm.log: ---- 28.09.16 18:11:50.432 MODULE ( INFO ) : Executing ['udm/query'] 28.09.16 18:11:50.436 MODULE ( INFO ) : Using open LDAP connection for user uid=ucstestuser,cn=portal users,ou=test,dc=domain,dc=local 28.09.16 18:11:50.436 MODULE ( INFO ) : Using open LDAP connection for user uid=ucstestuser,cn=portal users,ou=test,dc=domain,dc=local 28.09.16 18:11:50.436 MODULE ( INFO ) : Searching for LDAP objects: container = cn=users,ou=test,dc=domain,dc=local, filter = (|(uid=id20160822090316808512)(firstname=id20160822090316808512)(cAttrOne=id20160822090316808512)(lastname=id20160822090316808512)(mailPrimaryAddress=id20160822090316808512)), superordinate = None 28.09.16 18:11:50.441 MODULE ( INFO ) : LDAP operation for user uid=ucstestuser,cn=portal users,ou=test,dc=domain,dc=local has failed 28.09.16 18:11:50.456 MODULE ( INFO ) : Searching for LDAP objects: container = cn=users,ou=test,dc=domain,dc=local, filter = (|(uid=id20160822090316808512)(firstname=id20160822090316808512)(cAttrOne=id20160822090316808512)(lastname=id20160822090316808512)(mailPrimaryAddress=id20160822090316808512)), superordinate = None 28.09.16 18:11:50.531 MODULE ( PROCESS ) : An internal error occurred: File "/usr/lib/pymodules/python2.6/notifier/threads.py", line 82, in _run tmp = self._function() File "/usr/lib/pymodules/python2.6/notifier/__init__.py", line 104, in __call__ return self._function( *tmp, **self._kwargs ) File "/usr/lib/pymodules/python2.6/univention/management/console/modules/udm/__init__.py", line 514, in _thread result = module.search( request.options.get( 'container' ), request.options[ 'objectProperty' ], request.options[ 'objectPropertyValue' ], superordinate, scope = request.options.get( 'scope' , 'sub' ), hidden=request.options.get('hidden') ) File "/usr/lib/pymodules/python2.6/univention/management/console/modules/udm/udm_ldap.py", line 213, in wrapper_func raise LDAP_ConnectionError( str( e ) ) LDAP_ConnectionError: Administrative limit exceeded ---- * Warning: I tried to anonymize the log, so it may have unintentional syntax errors.
The traceback after UCS 4.0-0-errata18 would be: Execution of command 'udm/query groups/group' has failed: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/notifier/threads.py", line 82, in _run tmp = self._function() File "/usr/lib/pymodules/python2.7/notifier/__init__.py", line 104, in __call__ return self._function( *tmp, **self._kwargs ) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/__init__.py", line 543, in _thread result = module.search(container, objectProperty, objectPropertyValue, superordinate, scope=scope, hidden=hidden) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 87, in _decorated return method(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/ldap.py", line 135, in _decorated result = func(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 472, in search result = self.module.lookup(None, ldap_connection, filter_s, base=container, superordinate=superordinate, scope=scope, sizelimit=sizelimit) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 1047, in lookup for dn, attrs in lo.search(unicode(filter), base, scope, [], unique, required, timeout, sizelimit): File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 339, in search raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) ldapError: Administrative limit exceeded
Created attachment 8337 [details] patch The most simple solution seems to raise univention.admin.uexceptions.ldapSizelimitExceeded also in case of the ADMIN limits. This causes an error message like the following to be displayed: """ The query you have entered yields too many matching entries. Please narrow down your search by specifying more query parameters. The current size limit of %s can be configured with the UCR variable directory/manager/web/sizelimit. """
Florian, can the patch simply applied?
(In reply to Stefan Gohmann from comment #4) > Florian, can the patch simply applied? Yes, but as said this would display an error message which refers to the UCR variable "directory/manager/web/sizelimit" which is not effective here as the admin-size-limit is set in slapd.conf (server) and not in the client. At least the traceback is not shown.
The patch has been applied. Additionally the error handling in the UDM module has been improved, otherwise the fix wouldn't work in the LDAP directory tree and show a traceback there. It can be simply tested by setting "ucr set ldap/sizelimit='10'". univention-management-console-module-udm (7.0.9-16): r78923 | Bug #42533: fix admin size limit reached error message univention-management-console-module-udm.yaml: r78925 | YAML Bug #42533 univention-directory-manager-modules (12.0.16-6): r78924 | Bug #42533: fix admin size limit reached error message univention-directory-manager-modules.yaml: r78925 | YAML Bug #42533
I was not fully able to reproduce the bug. For example opening the users module with 11 existing users and ldap/sizelimit='10' I got no traceback, but the error message the fix in Comment #6 was supposed to introduce. In the "LDAP directory" module however I got a traceback, which the fix removed. -> Verified
<http://errata.software-univention.de/ucs/4.2/39.html> <http://errata.software-univention.de/ucs/4.2/41.html>