permission_find: Do not fail for ipasearchrecordslimit=-1

ipasearchrecordslimit can be -1, which means unlimited.
The permission_find post_callback failed in this case in legacy
permission handling.
Do not fail in this case.

1 files changed, 2 insertions, 1 deletions

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 345faa89..fef640c3 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -891,11 +891,12 @@ class permission_find(baseldap.LDAPSearch):
             for entry in legacy_entries:
                 if entry.single_value['cn'] in nonlegacy_names:
                     continue
-                if len(entries) > max_entries:
+                if max_entries > 0 and len(entries) > max_entries:
                     # We've over the limit, pop the last entry and set
                     # truncated flag
                     # (this is easier to do than checking before adding
                     # the entry to results)
+                    # (max_entries <= 0 means unlimited)
                     entries.pop()
                     truncated = True
                     break