[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Win2K AD queries with large responses
Some answers:
1) Paging is an option, it is not the default.
2) OpenLDAP does not currently support paged results.
3) The paged results mechanism still has to obey the maximum sizelimits, so
it is irrelevant for purposes of this discussion. With or without paging,
the AD you are querying will only give you 1000 results. If you want more,
change the settings on your AD server.
RFC2222 specifies that for GSSAPI (and for Kerberos4) the maximim cipher
buffer
size is passed in a 24-bit integer. As such, I'd say the 64K limit in the
Cyrus
code is a bug. Eliminating the test may be a mistake, you should probably
just
change the test to compare against 0xffffff instead.
As for the change in liblber, the SASL handshake is supposed to tell the
other
side the maximum buffer size you are willing to receive. Since the original
liblber code would always specify a number smaller than 64K, the AD server
should
not be sending anything larger than that. Since it's obvious that AD is
violating
the SASL spec in this area, I can't even guess at what a reasonable value to
use
in liblber would be. You're on your own.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: Dave Snoopy [mailto:kingsnoopy7@yahoo.com]
> Sent: Thursday, June 27, 2002 12:39 PM
> To: Howard Chu; openldap
> Subject: RE: Win2K AD queries with large responses
>
>
> Yes, I tried using "-z 1010", but still had the 1,000
> response limit. I am pretty sure that it is an AD
> limit. But isn't ldapsearch supposed to use paged
> queries?
>
> Also, do any potential hazards pop into your head in
> regards to the code changes I made?
>
> Thanks,
> Dave
>
> --- Howard Chu <hyc@highlandsun.com> wrote:
> > Did you try the "-z sizelimit" option to ldapsearch?
> > If you already tried
> > this,
> > then you are running into a limit that was
> > configured on AD.
> >
> > -- Howard Chu
> > Chief Architect, Symas Corp. Director,
> > Highland Sun
> > http://www.symas.com
> > http://highlandsun.com/hyc
> > Symas: Premier OpenSource Development and Support
> >
> > > -----Original Message-----
> > > From: owner-openldap-software@OpenLDAP.org
> > > [mailto:owner-openldap-software@OpenLDAP.org]On
> > Behalf Of Dave Snoopy
> > > Sent: Thursday, June 27, 2002 12:13 PM
> > > To: openldap
> > > Subject: Win2K AD queries with large responses
> > >
> > >
> > > A while ago I posted a problem I was having, in
> > which
> > > Kerberized queries against a Win2K AD server would
> > > fail when the result was very large (e.g. a query
> > for
> > > all users when there were over 1,000 users).
> > Someone
> > > else posted that the reason for this was because
> > > Windows was likely breaking a negotiated buffer
> > size.
> > > I am using OpenLDAP 2.1.2, with Cyrus-SASL 2.1.4,
> > and
> > > Heimdal Kerberos 0.4e.
> > >
> > > Well, after some detective work, I've found out
> > how to
> > > get around this problem to an extent. However,
> > this
> > > "solution" is not a real one, and hopefully may
> > just
> > > point someone in the right direction towards
> > solving
> > > this problem correctly.
> > >
> > > First off, I modified the following #define in the
> > > OpenLDAP code:
> > >
> > > in libraries/liblber/sockbuf.c:
> > > #define LBER_MAX_BUFF_SIZE 262144
> > >
> > > I had also *originally* changed the #define below,
> > but
> > > later found that changing it did not make any
> > > difference, and so later changed it back to its
> > > original value of 65535:
> > >
> > > in libraries/libldap/ldap-int.h:
> > > #define SASL_MAX_BUF_SIZE 262144
> > >
> > >
> > > Finally, I changed one if-statement in my
> > Cyrus-SASL
> > > code (and then recompiled my library). In the file
> > > plugins/gssapi.c, I commented out the following
> > check
> > > in the function "gssapi_decode_once":
> > >
> > > if (text->size > 0xFFFF || text->size <= 0) {
> > > SETERROR(text->utils, "Illegal size in
> > > sasl_gss_decode_once");
> > > return SASL_FAIL;
> > > }
> > >
> > > So all in all, I only made 2 changes (one to the
> > > OpenLDAP source, and one to the Cyrus source).
> > Both
> > > seem to be needed.
> > >
> > > Before making the changes to the Cyrus code, the
> > above
> > > check was failing because the value of text->size
> > was
> > > equal to 158504 bytes. My guess is that this
> > number is
> > > the size of the response from the server.
> > >
> > > With these changes, my query works well enough for
> > up
> > > to exactly 1000 responses. As soon as I exceed
> > this
> > > number (e.g. by adding another user to my PDC), my
> > > ldapsearch runs fine, but gives this output at the
> > > end:
> > >
> > > # search result
> > > search: 5
> > > result: 4 Size limit exceeded
> > >
> > > # numResponses: 1002
> > > # numEntries: 1000
> > > # numReferences: 1
> > >
> > > "size limit exceeded" is a server error, and not
> > due
> > > to a lack of buffer space on my local machine. I
> > know
> > > this because I got the same results, even when I
> > > requested fewer attributes in my query (which
> > means
> > > less data).
> > >
> > > So it seems that beyond 1000 responses, Windows
> > > doesn't want to send back any more responses. But
> > > obviously this works for Windows to Windows LDAP
> > > queries, so some kind of secondary request for
> > more
> > > responses must be available. Does OpenLDAP have
> > some
> > > kind of paged query support that should be kicking
> > in
> > > for this? Does anyone have any advice or comments
> > > about what I've discovered? Any help from you LDAP
> > or
> > > AD experts would be of tremendous value.
> > >
> > > --Dave
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Yahoo! - Official partner of 2002 FIFA World Cup
> > > http://fifaworldcup.yahoo.com
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com