[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#5472) ldap_get_values() should handle paged results from LDAP/AD
Full_Name: Petter Reinholdtsen
Version: 2.1.30
OS: Debian GNU/Linux Etch
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:700:100:6:213:72ff:fe93:c639)
I ran into this problem when trying to use nss-ldapd with LDAP
from an Microsoft Active Directory server. The problem only appear if there
are more than 1500 members in a group. When there are fewer than 1500 members,
the result from the LDAP server look like this:
member: CN=user1,OU=Elever,OU=ULS,OU=VG,OU=Skoler,DC=SKOLEN,DC=LOCAL
member: CN=user2,OU=Ansatte,OU=ULS,OU=VG,OU=Skoler,DC=SKOLEN,DC=LOCAL
This is properly handled by ldap_get_values(), and the nss-ldapd module work
properly. For groups with more than 1500 members, the result from the LDAP
server
look like this:
member;range=0-1499:
CN=user1,OU=Elever,OU=OVO,OU=VO,OU=Skoler,DC=SKOLEN,DC=LOCAL
member;range=0-1499:
CN=user2,OU=Ansatte,OU=OVO,OU=VO,OU=Skoler,DC=SKOLEN,DC=LOCAL
This notation is not handled by ldap_get_values(), and it return NULL, resulting
in
a group with zero members. Is there a way to parse such "paged" attributes
using
the openldap library, and could ldag_get_values() be changed to handle these?
Is the range= notation legal LDAP notation? I have been unable to find
information
about this in any RFC, but our resident LDAP expert mentioned that it could be
according to some extention specification. Have not been able to find
information
about it.
To get the rest of the members I have to ask for attribute 'member;range=1500-*'
and
repeat this until the result show for example 'range=6000-*' to indicate that
this is the last batch of members.