[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Win2K AD queries with large responses

Did you try the "-z sizelimit" option to ldapsearch? If you already tried
then you are running into a limit that was configured on AD.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Dave Snoopy
> Sent: Thursday, June 27, 2002 12:13 PM
> To: openldap
> Subject: Win2K AD queries with large responses
> A while ago I posted a problem I was having, in which
> Kerberized queries against a Win2K AD server would
> fail when the result was very large (e.g. a query for
> all users when there were over 1,000 users). Someone
> else posted that the reason for this was because
> Windows was likely breaking a negotiated buffer size.
> I am using OpenLDAP 2.1.2, with Cyrus-SASL 2.1.4, and
> Heimdal Kerberos 0.4e.
> Well, after some detective work, I've found out how to
> get around this problem to an extent. However, this
> "solution" is not a real one, and hopefully may just
> point someone in the right direction towards solving
> this problem correctly.
> First off, I modified the following #define in the
> OpenLDAP code:
>   in libraries/liblber/sockbuf.c:
>   #define LBER_MAX_BUFF_SIZE 262144
> I had also *originally* changed the #define below, but
> later found that changing it did not make any
> difference, and so later changed it back to its
> original value of 65535:
>   in libraries/libldap/ldap-int.h:
>   #define SASL_MAX_BUF_SIZE 262144
> Finally, I changed one if-statement in my Cyrus-SASL
> code (and then recompiled my library). In the file
> plugins/gssapi.c, I commented out the following check
> in the function "gssapi_decode_once":
>    if (text->size > 0xFFFF || text->size <= 0) {
>       SETERROR(text->utils, "Illegal size in
> sasl_gss_decode_once");
>       return SASL_FAIL;
>    }
> So all in all, I only made 2 changes (one to the
> OpenLDAP source, and one to the Cyrus source). Both
> seem to be needed.
> Before making the changes to the Cyrus code, the above
> check was failing because the value of text->size was
> equal to 158504 bytes. My guess is that this number is
> the size of the response from the server.
> With these changes, my query works well enough for up
> to exactly 1000 responses. As soon as I exceed this
> number (e.g. by adding another user to my PDC), my
> ldapsearch runs fine, but gives this output at the
> end:
>    # search result
>    search: 5
>    result: 4 Size limit exceeded
>    # numResponses: 1002
>    # numEntries: 1000
>    # numReferences: 1
> "size limit exceeded" is a server error, and not due
> to a lack of buffer space on my local machine. I know
> this because I got the same results, even when I
> requested fewer attributes in my query (which means
> less data).
> So it seems that beyond 1000 responses, Windows
> doesn't want to send back any more responses. But
> obviously this works for Windows to Windows LDAP
> queries, so some kind of secondary request for more
> responses must be available. Does OpenLDAP have some
> kind of paged query support that should be kicking in
> for this? Does anyone have any advice or comments
> about what I've discovered? Any help from you LDAP or
> AD experts would be of tremendous value.
> --Dave
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com