[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5472) ldap_get_values() should handle paged results from LDAP/AD

Full_Name: Petter Reinholdtsen
Version: 2.1.30
OS: Debian GNU/Linux Etch
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:700:100:6:213:72ff:fe93:c639)

I ran into this problem when trying to use nss-ldapd with LDAP
from an Microsoft Active Directory server.  The problem only appear if there
are more than 1500 members in a group.  When there are fewer than 1500 members,
the result from the LDAP server look like this:

  member: CN=user1,OU=Elever,OU=ULS,OU=VG,OU=Skoler,DC=SKOLEN,DC=LOCAL
  member: CN=user2,OU=Ansatte,OU=ULS,OU=VG,OU=Skoler,DC=SKOLEN,DC=LOCAL

This is properly handled by ldap_get_values(), and the nss-ldapd module work
properly.  For groups with more than 1500 members, the result from the LDAP
look like this:


This notation is not handled by ldap_get_values(), and it return NULL, resulting
a group with zero members.  Is there a way to parse such "paged" attributes
the openldap library, and could ldag_get_values() be changed to handle these?

Is the range= notation legal LDAP notation?  I have been unable to find
about this in any RFC, but our resident LDAP expert mentioned that it could be
according to some extention specification.  Have not been able to find
about it.

To get the rest of the members I have to ask for attribute 'member;range=1500-*'
repeat this until the result show for example 'range=6000-*' to indicate that
this is the last batch of members.