Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12204

AM can not handle an arbitrary number of OIDC clients if external configuration data store is used

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.1
    • Fix Version/s: None
    • Labels:
    • Environment:
      java version "1.8.0_111"
      Apache Tomcat/8.5.4
      AM 5.1.1
    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 48
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      No (add reasons in the comment)

      Description

      Bug description

      dynamic client registration of the 1001st client fails

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. configure AM with hardend DJ as external configuration data store, use non-RootDN as Bind-DN
      2. configure OIDC provider
      3. register more than 1000 OIDC clients dynamically (https://backstage.forgerock.com/docs/am/5.1/oidc1-guide/#register-openid-connect-client-dynamic)
      Expected behaviour
      It should be possible to register an arbitrary number of OIDC clients
      
      Current behaviour
      At some point registration fails with error
      
      amAgentsRepo:12/11/2017 03:00:15:700 PM GMT: Thread[http-nio-8443-exec-17,5,main]: TransactionId[67b57446-9c6c-47c7-a62e-f173e62564dc-406366]
      ERROR: AgentsRepo.create():Unable to create agents
      SMSException Exception Code:5
      Message:Unexpected LDAP exception occurred.
      --------------------------------------------------
      The lower level exception message
      Size Limit Exceeded: This search operation has sent the maximum of 1000 entries to the client
      The lower level exception:
      org.forgerock.opendj.ldap.LdapException: Size Limit Exceeded: This search operation has sent the maximum of 1000 entries to the client
      

      Full stacktrace from AM 5.1.1

      
      

      amAgentsRepo:12/11/2017 03:00:15:700 PM GMT: Thread[http-nio-8443-exec-17,5,main]: TransactionId[67b57446-9c6c-47c7-a62e-f173e62564dc-406366]
      ERROR: AgentsRepo.create():Unable to create agents
      SMSException Exception Code:5
      Message:Unexpected LDAP exception occurred.
      --------------------------------------------------
      The lower level exception message
      Size Limit Exceeded: This search operation has sent the maximum of 1000 entries to the client
      The lower level exception:
      org.forgerock.opendj.ldap.LdapException: Size Limit Exceeded: This search operation has sent the maximum of 1000 entries to the client
      at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:202)
      at org.forgerock.opendj.ldif.ConnectionEntryReader.hasNext(ConnectionEntryReader.java:224)
      at com.sun.identity.sm.ldap.SMSLdapObject.getSubEntries(SMSLdapObject.java:495)
      at com.sun.identity.sm.ldap.SMSLdapObject.subEntries(SMSLdapObject.java:471)
      at com.sun.identity.sm.SMSEntry.subEntries(SMSEntry.java:898)
      at com.sun.identity.sm.CachedSubEntries.getSubEntries(CachedSubEntries.java:144)
      at com.sun.identity.sm.CachedSubEntries.getSubEntries(CachedSubEntries.java:113)
      at com.sun.identity.sm.ServiceConfigImpl.getSubConfigNames(ServiceConfigImpl.java:191)
      at com.sun.identity.sm.ServiceConfig.getSubConfigNames(ServiceConfig.java:217)
      at com.sun.identity.idm.plugins.internal.AgentsRepo.create(AgentsRepo.java:282)
      at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:427)
      at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:463)
      at org.forgerock.openidconnect.ClientDAO.create(ClientDAO.java:91)
      at org.forgerock.openidconnect.OpenIdConnectClientRegistrationService.createRegistration(OpenIdConnectClientRegistrationService.java:571)
      at org.forgerock.openidconnect.restlet.ConnectClientRegistration.createClient(ConnectClientRegistration.java:93)
      at sun.reflect.GeneratedMethodAccessor224.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at org.restlet.resource.ServerResource.doHandle(ServerResource.java:520)
      at org.restlet.resource.ServerResource.post(ServerResource.java:1377)
      at org.restlet.resource.ServerResource.doHandle(ServerResource.java:620)
      at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:678)
      at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:356)
      at org.restlet.resource.ServerResource.handle(ServerResource.java:1043)
      at org.restlet.resource.Finder.handle(Finder.java:236)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:67)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter$Delegate.handle(RealmRoutingFactory.java:278)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter.doHandle(RealmRoutingFactory.java:256)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:67)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter$Delegate.handle(RealmRoutingFactory.java:278)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter.doHandle(RealmRoutingFactory.java:256)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:92)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
      at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:75)
      at org.restlet.Application.handle(Application.java:385)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
      at org.restlet.Component.handle(Component.java:408)
      at org.restlet.Server.handle(Server.java:507)
      at org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
      at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)
      at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1117)
      at org.forgerock.openam.rest.RestEndpointServlet.service(RestEndpointServlet.java:122)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:43)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
      at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
      at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
      at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      at java.lang.Thread.run(Thread.java:745)

      at com.sun.identity.sm.ldap.SMSLdapObject.getSubEntries(SMSLdapObject.java:513)
      at com.sun.identity.sm.ldap.SMSLdapObject.subEntries(SMSLdapObject.java:471)
      at com.sun.identity.sm.SMSEntry.subEntries(SMSEntry.java:898)
      at com.sun.identity.sm.CachedSubEntries.getSubEntries(CachedSubEntries.java:144)
      at com.sun.identity.sm.CachedSubEntries.getSubEntries(CachedSubEntries.java:113)
      at com.sun.identity.sm.ServiceConfigImpl.getSubConfigNames(ServiceConfigImpl.java:191)
      at com.sun.identity.sm.ServiceConfig.getSubConfigNames(ServiceConfig.java:217)
      at com.sun.identity.idm.plugins.internal.AgentsRepo.create(AgentsRepo.java:282)
      at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:427)
      at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:463)
      at org.forgerock.openidconnect.ClientDAO.create(ClientDAO.java:91)
      at org.forgerock.openidconnect.OpenIdConnectClientRegistrationService.createRegistration(OpenIdConnectClientRegistrationService.java:571)
      at org.forgerock.openidconnect.restlet.ConnectClientRegistration.createClient(ConnectClientRegistration.java:93)
      at sun.reflect.GeneratedMethodAccessor224.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at org.restlet.resource.ServerResource.doHandle(ServerResource.java:520)
      at org.restlet.resource.ServerResource.post(ServerResource.java:1377)
      at org.restlet.resource.ServerResource.doHandle(ServerResource.java:620)
      at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:678)
      at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:356)
      at org.restlet.resource.ServerResource.handle(ServerResource.java:1043)
      at org.restlet.resource.Finder.handle(Finder.java:236)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:67)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter$Delegate.handle(RealmRoutingFactory.java:278)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter.doHandle(RealmRoutingFactory.java:256)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:67)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter$Delegate.handle(RealmRoutingFactory.java:278)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter.doHandle(RealmRoutingFactory.java:256)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:92)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
      at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:75)
      at org.restlet.Application.handle(Application.java:385)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
      at org.restlet.Component.handle(Component.java:408)
      at org.restlet.Server.handle(Server.java:507)
      at org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
      at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)
      at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1117)
      at org.forgerock.openam.rest.RestEndpointServlet.service(RestEndpointServlet.java:122)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:43)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
      at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
      at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
      at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      at java.lang.Thread.run(Thread.java:745)
      Caused by: org.forgerock.opendj.ldap.LdapException: Size Limit Exceeded: This search operation has sent the maximum of 1000 entries to the client
      at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:202)
      at org.forgerock.opendj.ldif.ConnectionEntryReader.hasNext(ConnectionEntryReader.java:224)
      at com.sun.identity.sm.ldap.SMSLdapObject.getSubEntries(SMSLdapObject.java:495)
      ... 114 more
      {noformat)

       

      Work around

      configure Bind-DN specific resource limits, i.e. ds-rlim-size-limit

      see https://backstage.forgerock.com/docs/ds/5.5/admin-guide/#limit-search-resources

      Code analysis

      com.sun.identity.sm.CachedSubEntries.java
          public Set<String> getSubEntries(SSOToken token, String pattern)
                  throws SMSException, SSOException {
              if (debug.messageEnabled()) {
                  debug.message("CachedSubEntries: reading sub-entries DN: " + 
                     cachedEntry.getDN() + " pattern: " + pattern);
              }
              return cachedEntry.getSMSEntry().subEntries(token, pattern, 0, false, true);
          }
      

      does set '0' as sizelimit

      this ends up in

      com.sun.identity.sm.ldap.SMSLdapObject.java
          private SearchRequest getSearchRequest(String dn, String filter, SearchScope scope, int numOfEntries, int timeLimit,
                  boolean sortResults, boolean ascendingOrder, String sortAttribute, String... attributes) {
              SearchRequest request = LDAPRequests.newSearchRequest(dn, scope, filter, attributes)
                      .setDereferenceAliasesPolicy(DereferenceAliasesPolicy.NEVER)
                      .setTimeLimit(timeLimit);
              if (numOfEntries > 0) {
                  request.setSizeLimit(numOfEntries);
              }
              if (sortResults) {
                  SortKey sortKey = new SortKey(sortAttribute, !ascendingOrder);
                  request.addControl(ServerSideSortRequestControl.newControl(true, sortKey));
              }
              return request;
          }
      
      ...
      
          private Set<String> getSubEntries(SSOToken token, String dn, String filter,
                  int numOfEntries, boolean sortResults, boolean ascendingOrder)
                  throws SMSException, SSOException {
              SearchRequest request = getSearchRequest(dn, filter, SearchScope.SINGLE_LEVEL, numOfEntries, 0, sortResults,
                      ascendingOrder, getNamingAttribute(), O_ATTR);
              int retry = 0;
      
              Set<String> answer = new LinkedHashSet<>();
              ConnectionEntryReader results;
              while (retry <= connNumRetry) {
                  debug.message("SMSLdapObject.subEntries() retry: {}", retry);
      
                  try (Connection conn = getConnection(token.getPrincipal())) {
                      // Get the sub entries
                      ConnectionEntryReader iterResults = conn.search(request);
                      iterResults.hasNext();
                      results = iterResults;
                      // Construct the results and return
                      try {
                          while (results != null && results.hasNext()) {
                              try {
                                  if (results.isReference()) {
                                      debug.warning("Skipping reference result: {}", results.readReference());
                                      continue;
                                  }
                                  SearchResultEntry entry = results.readEntry();
                                  // Check if the attribute starts with "ou="
                                  // Workaround for 3823, where (objectClass=*) is used
                                  if (entry.getName().toString().toLowerCase().startsWith("ou=")) {
                                      answer.add(entry.getName().rdn().getFirstAva().getAttributeValue().toString());
                                  }
                              } catch (SearchResultReferenceIOException e) {
                                  debug.error("SMSLdapObject.subEntries: Reference should be handled already for dn {}", dn, e);
                              }
                          }
                      } catch (LdapException e) {
                          debug.warning("SMSLdapObject.subEntries: Error in obtaining sub-entries: {}", dn, e);
                          throw new SMSException(e, "sms-entry-cannot-obtain");
                      }
                      break;
                  } catch (LdapException e) {
                      ResultCode errorCode = e.getResult().getResultCode();
                      if (errorCode.equals(ResultCode.NO_SUCH_OBJECT)) {
                          debug.message("SMSLdapObject.subEntries(): entry not present: {}", dn);
                          break;
                      }
                      if (!retryErrorCodes.contains(errorCode) || retry >= connNumRetry) {
                          debug.warning("SMSLdapObject.subEntries: Unable to search for sub-entries: {}", dn, e);
                          throw new SMSException(e, "sms-entry-cannot-search");
                      }
                      retry++;
                      try {
                          Thread.sleep(connRetryInterval);
                      } catch (InterruptedException ex) {
                          // ignored
                      }
                  }
              }
              debug.message("SMSLdapObject.subEntries: Successfully obtained sub-entries for {}", dn);
              return answer;
          }
      

      The sizelimit error is not handled nicely, shouldn't it use Simple Paged Result Control (https://backstage.forgerock.com/docs/ds/5.5/reference/#chap-controls) to read data in that case?

        Attachments

          Activity

            People

            • Assignee:
              jonthomas Jonathan Thomas
              Reporter:
              bthalmayr Bernhard Thalmayr
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: