[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldap_get_values returns NULL when attribute got more then 1000 values.

To: Hagai Yaffe <HagaiY@Cyber-Ark.com>
Subject: RE: ldap_get_values returns NULL when attribute got more then 1000 values.
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 08 Apr 2004 20:01:34 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <93F63181B5926E4FA7A5AD02389244940CC79B@ca-prod2.cyber-ark. co.il>
References: <93F63181B5926E4FA7A5AD02389244940CC79B@ca-prod2.cyber-ark.co.il>

At 11:45 PM 4/7/2004, Hagai Yaffe wrote:
>Hi,
>
>TX to everybody for allot off useful information. 
>
>What that I still don't know is what does "paged search" means,

Paged results is described in RFC 2696.  The behavior you
describe, however, is something else.  (I recall an I-D
in this area, but it was dropped by the authors.)

>I looked for some documentation on this and did not find any info.

I suggest you consult MS AD documentation. 

>does the OpenLDAP API support paged search ?

The OpenLDAP LDAP libraries provide facilities which allow
applications to support most any extensions.  The libraries
themselves include support for a few extensions, but not
paged results and certainly not this goofy attribute option
crap.

>is it possible to config the MS AD not to use paged search ? (or maybe to increase the search size ?). 

That question should be directed to an MS AD forum.


>Hagai.
>
>
>-----Original Message-----
>From: Peter Marschall [mailto:peter@adpm.de]
>Sent: Wednesday, April 07, 2004 9:04 PM
>To: Hagai Yaffe; openldap-software@OpenLDAP.org
>Subject: Re: ldap_get_values returns NULL when attribute got more then
>1000 values.
>
>
>Hi,
>
>On Wednesday 07 April 2004 16:36, Hagai Yaffe wrote:
>> Hello.
>>
>>         I am using the OpenLDAP API version 2.1.22 to get data from windows
>> Active Directory, I am using the "memberOf" attribute to get all the groups
>> a user is assigned to in the Active Directory, for a user who has less then
>> a 1000 groups I have no problem, but for a user who is member off more then
>> 1000 groups the ldap_get_values function returns NULL.
>>
>> After a little snooping around I have discovered that for a user who is
>> member off more then a 1000 groups the Active Directory server sends only a
>> 1000 groups, it also sends an header to inform the client of this, the
>> header looks like this :
>>
>> .memberOf1.....0.......memberOf;range=0-999
>>
>> after this header a 1000 group names are sent, for less then a 1000 groups
>> this header does not appear (only a header that identify the attribue as
>> "memberOf").
>
>AFAIK MS AD treats every search request as a paged search with a default 
>search sizze of 1000.
>
>It looks like the "header" you see is part of the paged-search cookie.
>Maybe sniffing the connection with a scanner that cann dissect the LDAP 
>protocol can tell what this header is exactly.
>
>> It looks like the OpenLDAP API code is not ready to handle this header, The
>> code looks for a length value and gets a length of 0 bytes, this cause the
>> function to return NULL.
>
>Hmm, ...
>I do not know, if it conforms to the LDAP standard to send controls in answers 
>that weren't in the request.
>Section 4.1.12 of RFC2251 seems nt to cover this strange situation situation
>
>> My question is if this is a bug in the OpenLDAP API code or a miss behavior
>> by the Active Directory server ? any help / ideas on the subject would be
>> greate.
>
>Using a paged search should do the trick
>
>Peter
>-- 
>Peter Marschall
>eMail: peter@adpm.de

References:
- RE: ldap_get_values returns NULL when attribute got more then 1000 values.
  - From: Hagai Yaffe <HagaiY@Cyber-Ark.com>

Prev by Date: RE: OpenLDAP fails on reboot
Next by Date: Re: Using OpenLDAP to point to AD as address book
Index(es):
- Chronological
- Thread