Re: ldap_get_values returns NULL when attribute got more then 1000 values.

[Peter Marschall <peter@adpm.de>]

Hi,

On Wednesday 07 April 2004 16:36, Hagai Yaffe wrote:
> Hello.
>
>         I am using the OpenLDAP API version 2.1.22 to get data from windows
> Active Directory, I am using the "memberOf" attribute to get all the groups
> a user is assigned to in the Active Directory, for a user who has less then
> a 1000 groups I have no problem, but for a user who is member off more then
> 1000 groups the ldap_get_values function returns NULL.
>
> After a little snooping around I have discovered that for a user who is
> member off more then a 1000 groups the Active Directory server sends only a
> 1000 groups, it also sends an header to inform the client of this, the
> header looks like this :
>
> .memberOf1.....0.......memberOf;range=0-999
>
> after this header a 1000 group names are sent, for less then a 1000 groups
> this header does not appear (only a header that identify the attribue as
> "memberOf").

AFAIK MS AD treats every search request as a paged search with a default 
search sizze of 1000.

It looks like the "header" you see is part of the paged-search cookie.
Maybe sniffing the connection with a scanner that cann dissect the LDAP 
protocol can tell what this header is exactly.

> It looks like the OpenLDAP API code is not ready to handle this header, The
> code looks for a length value and gets a length of 0 bytes, this cause the
> function to return NULL.

Hmm, ...
I do not know, if it conforms to the LDAP standard to send controls in answers 
that weren't in the request.
Section 4.1.12 of RFC2251 seems nt to cover this strange situation situation

> My question is if this is a bug in the OpenLDAP API code or a miss behavior
> by the Active Directory server ? any help / ideas on the subject would be
> greate.

Using a paged search should do the trick

Peter
-- 
Peter Marschall
eMail: peter@adpm.de