当通过未索引的参数搜索并且条目超出服务器限制时,php ldap_search/list 返回 null
我正在通过像 email 这样的未索引键进行 ldap 搜索,如下所示:
$dn = 'ou=users,ou=y,o=x';
$filters = '([email protected])';
$just = array ('id');
$sr = ldap_list ($ds_id, $dn, $filters, $just);
如果条目位于 email 中,则结果没问题。 SERVER_RETURN_LIMIT(在我的例子中=1000),如果条目超过 1k 限制,则为空。 如果我通过索引参数(例如用户 ID)进行搜索,结果总是符合预期。
我想知道当我通过未索引的键进行搜索时,无论我有多少条目,也无论我要检索的条目位于哪个位置,是否有任何方法可以获得预期结果。
每当我进行搜索时,无论键的类型如何,我也总是收到此警告:
警告:ldap_list()[function.ldap-list]:返回部分搜索结果:超出了管理限制...
如果搜索也成功,则会显示警告,并且结果始终为 1 个条目。我不想返回超过 1 个条目/搜索。
希望大家能够对此有所了解。 TA!
I'm doing a ldap search by an unindexed key like email as follows:
$dn = 'ou=users,ou=y,o=x';
$filters = '([email protected])';
$just = array ('id');
$sr = ldap_list ($ds_id, $dn, $filters, $just);
and the result is ok if the entry is in the < SERVER_RETURN_LIMIT (=1000 in my case) and is empty if the entry is over the 1k limit.
If I do my search by an index parameter like the user's id, the result is always as expected.
What I would like to know if there is any way I can get the expected result when I do a search by an unindexed key no matter how many entries I have and no matter on which position the entry I want to retrieve sits.
I also always get this warning whenever I do a search, no matter the type of key:
Warning: ldap_list() [function.ldap-list]: Partial search results returned: Adminlimit exceeded in...
The warning is displayed if the search is successful also, and the result is always 1 entry. I'm not looking to return more than 1 entry / search.
Hope you folks can shed some light on this.
TA!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
“超出管理限制”意味着 LDAP 客户端超出了服务器管理员设置的某些限制 - 在许多 LDAP 服务器中,此限制称为查找限制。超出大小限制意味着搜索参数匹配 1) 多个条目大于客户端请求的大小限制,或 2) 多个条目大于服务器施加的大小限制。超出管理限制和超出大小限制完全是不同的概念。
LDAP 客户端永远不应该将大小限制设置为零 - 这实际上告诉服务器将与搜索参数匹配的所有条目返回给客户端。这不仅会使服务器不堪重负并对其他客户端产生不利影响,而且客户端可能无法处理返回的条目数量。客户应始终为搜索提供非零(正)大小限制和时间限制。有关详细信息,请参阅“LDAP:编程实践”。正确配置的服务器无论如何都会限制返回给客户端的条目数量,并且客户端请求的大小限制(和时间限制)无法覆盖服务器施加的限制,因此将大小限制(或时间限制)设置为零可能不会给出无论如何你想要的结果。现代、专业质量的目录服务器甚至可以限制根 DN 搜索所花费的时间返回的条目数量。
在未与服务器管理员进行安排的情况下,LDAP 客户端绝不能执行未索引的搜索,因为未索引的搜索会对服务器性能产生不利影响,并导致毫无戒心的 LDAP 客户端性能下降。正确配置的服务器将禁止对部分或所有客户端进行未索引搜索,但在可以提供合理业务案例理由的特殊情况下,管理员可能会批准未索引搜索。
The 'administrative limit exceeded' means the LDAP client has exceeded some limit set by server adminstrators - in many LDAP servers this limit is known as the lookthrough limit. Size limit exceeded means the search parameters matched either 1) a number of entries greater than the client-requested size limit or 2) a number of entries greater than the server-imposed size limit. Admin limit exceeded and size limit exceeded are different concepts entirely.
LDAP clients should never, ever set size limit to zero - this effectively tells the server to return all entries to the client that match the search parameters. Not only could this overwhelm the server and adversely impact other clients, but the client may not be able to handle the number of entries returned. Clients should always provide a non-zero (positive) size limit and time limit to searches. For more information, see "LDAP: Programming Practices". Properly configured servers will restrict the number of entries returned to the client anyway, and the client-requested size limit (and time limit) cannot override the server-imposed limits, so setting the size limit (or time limit) to zero may not give the result you want anyway. Modern, professional-quality directory servers can even restrict the number of entries returned on time spent on a search by the root DN.
LDAP clients must never execute unindexed searches without making arrangements with the server administrators because unindexed searches can adversely impact server performance and cause poor performance to otherwise unsuspecting LDAP clients. Properly configured servers will disallow unindexed searches to some or all clients, though admins may approve unindexed searches in special cases where a reasonable business case justification can be provided.
一些建议:
添加一个参数(sizelimit)来告诉 LDAP 不要限制输出数量。
$sr = ldap_list($ds_id, $dn, $filters, $just, 0);
使用包含dc字段的搜索条件。我的意思是:
$dn = 'ou=users,ou=y,o=x,dc=company,dc=es';
Some suggestions:
Add a parameter (sizelimit) to tell LDAP not to limit the number of outputs.
$sr = ldap_list ($ds_id, $dn, $filters, $just, 0);
Use a search condition including dc fields. I mean:
$dn = 'ou=users,ou=y,o=x,dc=company,dc=es';