[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Win2K AD queries with large responses

To: Howard Chu <hyc@highlandsun.com>, openldap <openldap-software@OpenLDAP.org>
Subject: RE: Win2K AD queries with large responses
From: Dave Snoopy <kingsnoopy7@yahoo.com>
Date: Thu, 27 Jun 2002 12:38:48 -0700 (PDT)
In-reply-to: <NMEFLNHODBAOPDKNNJALGEKLDCAA.hyc@highlandsun.com>

Yes, I tried using "-z 1010", but still had the 1,000
response limit. I am pretty sure that it is an AD
limit. But isn't ldapsearch supposed to use paged
queries?

Also, do any potential hazards pop into your head in
regards to the code changes I made?

Thanks,
Dave

--- Howard Chu <hyc@highlandsun.com> wrote:
> Did you try the "-z sizelimit" option to ldapsearch?
> If you already tried
> this,
> then you are running into a limit that was
> configured on AD.
> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director,
> Highland Sun
>   http://www.symas.com              
> http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
> 
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On
> Behalf Of Dave Snoopy
> > Sent: Thursday, June 27, 2002 12:13 PM
> > To: openldap
> > Subject: Win2K AD queries with large responses
> >
> >
> > A while ago I posted a problem I was having, in
> which
> > Kerberized queries against a Win2K AD server would
> > fail when the result was very large (e.g. a query
> for
> > all users when there were over 1,000 users).
> Someone
> > else posted that the reason for this was because
> > Windows was likely breaking a negotiated buffer
> size.
> > I am using OpenLDAP 2.1.2, with Cyrus-SASL 2.1.4,
> and
> > Heimdal Kerberos 0.4e.
> >
> > Well, after some detective work, I've found out
> how to
> > get around this problem to an extent. However,
> this
> > "solution" is not a real one, and hopefully may
> just
> > point someone in the right direction towards
> solving
> > this problem correctly.
> >
> > First off, I modified the following #define in the
> > OpenLDAP code:
> >
> >   in libraries/liblber/sockbuf.c:
> >   #define LBER_MAX_BUFF_SIZE 262144
> >
> > I had also *originally* changed the #define below,
> but
> > later found that changing it did not make any
> > difference, and so later changed it back to its
> > original value of 65535:
> >
> >   in libraries/libldap/ldap-int.h:
> >   #define SASL_MAX_BUF_SIZE 262144
> >
> >
> > Finally, I changed one if-statement in my
> Cyrus-SASL
> > code (and then recompiled my library). In the file
> > plugins/gssapi.c, I commented out the following
> check
> > in the function "gssapi_decode_once":
> >
> >    if (text->size > 0xFFFF || text->size <= 0) {
> >       SETERROR(text->utils, "Illegal size in
> > sasl_gss_decode_once");
> >       return SASL_FAIL;
> >    }
> >
> > So all in all, I only made 2 changes (one to the
> > OpenLDAP source, and one to the Cyrus source).
> Both
> > seem to be needed.
> >
> > Before making the changes to the Cyrus code, the
> above
> > check was failing because the value of text->size
> was
> > equal to 158504 bytes. My guess is that this
> number is
> > the size of the response from the server.
> >
> > With these changes, my query works well enough for
> up
> > to exactly 1000 responses. As soon as I exceed
> this
> > number (e.g. by adding another user to my PDC), my
> > ldapsearch runs fine, but gives this output at the
> > end:
> >
> >    # search result
> >    search: 5
> >    result: 4 Size limit exceeded
> >
> >    # numResponses: 1002
> >    # numEntries: 1000
> >    # numReferences: 1
> >
> > "size limit exceeded" is a server error, and not
> due
> > to a lack of buffer space on my local machine. I
> know
> > this because I got the same results, even when I
> > requested fewer attributes in my query (which
> means
> > less data).
> >
> > So it seems that beyond 1000 responses, Windows
> > doesn't want to send back any more responses. But
> > obviously this works for Windows to Windows LDAP
> > queries, so some kind of secondary request for
> more
> > responses must be available. Does OpenLDAP have
> some
> > kind of paged query support that should be kicking
> in
> > for this? Does anyone have any advice or comments
> > about what I've discovered? Any help from you LDAP
> or
> > AD experts would be of tremendous value.
> >
> > --Dave
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! - Official partner of 2002 FIFA World Cup
> > http://fifaworldcup.yahoo.com
> 


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

Follow-Ups:
- RE: Win2K AD queries with large responses
  - From: "Howard Chu" <hyc@highlandsun.com>
- RE: Win2K AD queries with large responses
  - From: Nicholas Oddson <noddson@b2bscene.com>

References:
- RE: Win2K AD queries with large responses
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: Win2K AD queries with large responses
Next by Date: Re: OpenLDAP and failover
Index(es):
- Chronological
- Thread