[Date Prev][Date Next]
RE: ldap_get_values returns NULL when attribute got more then 1000 values.
At 11:45 PM 4/7/2004, Hagai Yaffe wrote:
>TX to everybody for allot off useful information.
>What that I still don't know is what does "paged search" means,
Paged results is described in RFC 2696. The behavior you
describe, however, is something else. (I recall an I-D
in this area, but it was dropped by the authors.)
>I looked for some documentation on this and did not find any info.
I suggest you consult MS AD documentation.
>does the OpenLDAP API support paged search ?
The OpenLDAP LDAP libraries provide facilities which allow
applications to support most any extensions. The libraries
themselves include support for a few extensions, but not
paged results and certainly not this goofy attribute option
>is it possible to config the MS AD not to use paged search ? (or maybe to increase the search size ?).
That question should be directed to an MS AD forum.
>From: Peter Marschall [mailto:email@example.com]
>Sent: Wednesday, April 07, 2004 9:04 PM
>To: Hagai Yaffe; openldap-software@OpenLDAP.org
>Subject: Re: ldap_get_values returns NULL when attribute got more then
>On Wednesday 07 April 2004 16:36, Hagai Yaffe wrote:
>> I am using the OpenLDAP API version 2.1.22 to get data from windows
>> Active Directory, I am using the "memberOf" attribute to get all the groups
>> a user is assigned to in the Active Directory, for a user who has less then
>> a 1000 groups I have no problem, but for a user who is member off more then
>> 1000 groups the ldap_get_values function returns NULL.
>> After a little snooping around I have discovered that for a user who is
>> member off more then a 1000 groups the Active Directory server sends only a
>> 1000 groups, it also sends an header to inform the client of this, the
>> header looks like this :
>> after this header a 1000 group names are sent, for less then a 1000 groups
>> this header does not appear (only a header that identify the attribue as
>AFAIK MS AD treats every search request as a paged search with a default
>search sizze of 1000.
>It looks like the "header" you see is part of the paged-search cookie.
>Maybe sniffing the connection with a scanner that cann dissect the LDAP
>protocol can tell what this header is exactly.
>> It looks like the OpenLDAP API code is not ready to handle this header, The
>> code looks for a length value and gets a length of 0 bytes, this cause the
>> function to return NULL.
>I do not know, if it conforms to the LDAP standard to send controls in answers
>that weren't in the request.
>Section 4.1.12 of RFC2251 seems nt to cover this strange situation situation
>> My question is if this is a bug in the OpenLDAP API code or a miss behavior
>> by the Active Directory server ? any help / ideas on the subject would be
>Using a paged search should do the trick