[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Win2K AD queries with large responses
Did you try the "-z sizelimit" option to ldapsearch? If you already tried
this,
then you are running into a limit that was configured on AD.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Dave Snoopy
> Sent: Thursday, June 27, 2002 12:13 PM
> To: openldap
> Subject: Win2K AD queries with large responses
>
>
> A while ago I posted a problem I was having, in which
> Kerberized queries against a Win2K AD server would
> fail when the result was very large (e.g. a query for
> all users when there were over 1,000 users). Someone
> else posted that the reason for this was because
> Windows was likely breaking a negotiated buffer size.
> I am using OpenLDAP 2.1.2, with Cyrus-SASL 2.1.4, and
> Heimdal Kerberos 0.4e.
>
> Well, after some detective work, I've found out how to
> get around this problem to an extent. However, this
> "solution" is not a real one, and hopefully may just
> point someone in the right direction towards solving
> this problem correctly.
>
> First off, I modified the following #define in the
> OpenLDAP code:
>
> in libraries/liblber/sockbuf.c:
> #define LBER_MAX_BUFF_SIZE 262144
>
> I had also *originally* changed the #define below, but
> later found that changing it did not make any
> difference, and so later changed it back to its
> original value of 65535:
>
> in libraries/libldap/ldap-int.h:
> #define SASL_MAX_BUF_SIZE 262144
>
>
> Finally, I changed one if-statement in my Cyrus-SASL
> code (and then recompiled my library). In the file
> plugins/gssapi.c, I commented out the following check
> in the function "gssapi_decode_once":
>
> if (text->size > 0xFFFF || text->size <= 0) {
> SETERROR(text->utils, "Illegal size in
> sasl_gss_decode_once");
> return SASL_FAIL;
> }
>
> So all in all, I only made 2 changes (one to the
> OpenLDAP source, and one to the Cyrus source). Both
> seem to be needed.
>
> Before making the changes to the Cyrus code, the above
> check was failing because the value of text->size was
> equal to 158504 bytes. My guess is that this number is
> the size of the response from the server.
>
> With these changes, my query works well enough for up
> to exactly 1000 responses. As soon as I exceed this
> number (e.g. by adding another user to my PDC), my
> ldapsearch runs fine, but gives this output at the
> end:
>
> # search result
> search: 5
> result: 4 Size limit exceeded
>
> # numResponses: 1002
> # numEntries: 1000
> # numReferences: 1
>
> "size limit exceeded" is a server error, and not due
> to a lack of buffer space on my local machine. I know
> this because I got the same results, even when I
> requested fewer attributes in my query (which means
> less data).
>
> So it seems that beyond 1000 responses, Windows
> doesn't want to send back any more responses. But
> obviously this works for Windows to Windows LDAP
> queries, so some kind of secondary request for more
> responses must be available. Does OpenLDAP have some
> kind of paged query support that should be kicking in
> for this? Does anyone have any advice or comments
> about what I've discovered? Any help from you LDAP or
> AD experts would be of tremendous value.
>
> --Dave
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com