Troubleshooting OpenLDAP Size Limit Exceeded (Can’t Return More Than 500 Entries)


9 views

When querying an OpenLDAP server, you might encounter the frustrating "Size limit exceeded" error that caps your results at 500 entries, despite having configured higher limits in both slapd.conf and ldap.conf. This is a common pain point during directory service migration or large-scale user management.

There are actually three places where size limits can be imposed:

1. Server-side (slapd.conf/slapd.d)
2. Client-side (ldap.conf)
3. Built-in OpenLDAP defaults

For modern OpenLDAP 2.4+ installations using OLC (cn=config), you'll need to modify the global limits:

# First create a ldif file (limits.ldif)
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcSizeLimit
olcSizeLimit: 10000

# Then apply it
ldapmodify -Y EXTERNAL -H ldapi:/// -f limits.ldif

Even with server limits increased, client tools may enforce their own restrictions. For ldapsearch, explicitly specify:

ldapsearch -x -h localhost -b "dc=XXX,dc=XXX,dc=XXX" -E pr=10000/noprompt

Or alternatively:

ldapsearch -x -h localhost -b "dc=XXX,dc=XXX,dc=XX" -z 10000

After making changes, verify the effective limits:

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcSizeLimit

Check for any unexpected hierarchy limits that might be overriding your global settings.

When increasing size limits, be mindful of:

  • Memory usage on both server and client
  • Network bandwidth for large result sets
  • Indexing efficiency for large queries

For production environments, consider implementing paged results instead of massive unfiltered queries:

ldapsearch -x -h localhost -b "dc=example,dc=com" -E pr=1000/prompt

When working with OpenLDAP, you might encounter the frustrating limitation where queries return only 500 entries despite configuring higher limits. This occurs because OpenLDAP implements multiple layers of size restrictions:

# Typical error you'll see
search: 2
result: 4 Size limit exceeded
# numResponses: 501
# numEntries: 500

To properly override the default 500-entry limit, you need to configure both server-side and client-side settings:

1. Server Configuration (slapd.conf or cn=config)

For traditional slapd.conf:

# /etc/openldap/slapd.conf
sizelimit 10000
limits * size=unlimited

For modern cn=config (LDIF modification):

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSizeLimit
olcSizeLimit: 10000

2. Client Configuration

Update /etc/openldap/ldap.conf:

SIZELIMIT 10000

3. Command Line Override

For immediate testing, use the -z flag:

ldapsearch -x -h localhost -b "dc=XXX,dc=XXX,dc=XXX" -z 10000

If changes don't take effect:

  • Verify config location: newer OpenLDAP versions use dynamic configuration (cn=config) instead of slapd.conf
  • Check for multiple ldap.conf files (both /etc/openldap/ and /etc/ldap/)
  • Restart slapd after configuration changes: systemctl restart slapd

You can implement granular control through access rules:

# Allow admin unlimited access
access to *
    by dn.exact="cn=admin,dc=example,dc=com" size=unlimited
    by * size=100

While increasing the size limit is useful, consider:

  • Adding proper indexes: olcDbIndex: objectClass eq
  • Using paged results with -E pr=100/noprompt
  • Implementing server-side filtering with -(&(objectClass=user)(department=engineering))