[Date Prev][Date Next] [Chronological] [Thread] [Top]

Win2K AD queries with large responses

A while ago I posted a problem I was having, in which
Kerberized queries against a Win2K AD server would
fail when the result was very large (e.g. a query for
all users when there were over 1,000 users). Someone
else posted that the reason for this was because
Windows was likely breaking a negotiated buffer size.
I am using OpenLDAP 2.1.2, with Cyrus-SASL 2.1.4, and
Heimdal Kerberos 0.4e.

Well, after some detective work, I've found out how to
get around this problem to an extent. However, this
"solution" is not a real one, and hopefully may just
point someone in the right direction towards solving
this problem correctly.

First off, I modified the following #define in the
OpenLDAP code:

  in libraries/liblber/sockbuf.c:
  #define LBER_MAX_BUFF_SIZE 262144
I had also *originally* changed the #define below, but
later found that changing it did not make any
difference, and so later changed it back to its
original value of 65535:

  in libraries/libldap/ldap-int.h:
  #define SASL_MAX_BUF_SIZE 262144

Finally, I changed one if-statement in my Cyrus-SASL
code (and then recompiled my library). In the file
plugins/gssapi.c, I commented out the following check
in the function "gssapi_decode_once":

   if (text->size > 0xFFFF || text->size <= 0) {
      SETERROR(text->utils, "Illegal size in
      return SASL_FAIL;

So all in all, I only made 2 changes (one to the
OpenLDAP source, and one to the Cyrus source). Both
seem to be needed.

Before making the changes to the Cyrus code, the above
check was failing because the value of text->size was
equal to 158504 bytes. My guess is that this number is
the size of the response from the server.

With these changes, my query works well enough for up
to exactly 1000 responses. As soon as I exceed this
number (e.g. by adding another user to my PDC), my
ldapsearch runs fine, but gives this output at the

   # search result
   search: 5
   result: 4 Size limit exceeded
   # numResponses: 1002
   # numEntries: 1000
   # numReferences: 1

"size limit exceeded" is a server error, and not due
to a lack of buffer space on my local machine. I know
this because I got the same results, even when I
requested fewer attributes in my query (which means
less data).

So it seems that beyond 1000 responses, Windows
doesn't want to send back any more responses. But
obviously this works for Windows to Windows LDAP
queries, so some kind of secondary request for more
responses must be available. Does OpenLDAP have some
kind of paged query support that should be kicking in
for this? Does anyone have any advice or comments
about what I've discovered? Any help from you LDAP or
AD experts would be of tremendous value.


Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup