[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Win2K AD queries with large responses
AD has a default limit of 1000 results returned....
If you log into the machine (as an Administrator) and type the following
(in bold)
C:\> ntdsutil
ntdsutil: ldap policies
ldap policy: connections
server connections: connect to server SERVERNAME
Connected to SERVERNAME using credentials of locally logged on
user
server connections: q
ldap policy: show values
Policy
Current(New)
MaxPoolThreads
4
MaxDatagramRecv
1024
MaxReceiveBuffer
10485760
InitRecvTimeout
120
MaxConnections
5000
MaxConnIdleTime
900
MaxActiveQueries
20
MaxPageSize
1000
MaxQueryDuration
120
MaxTempTableSize
10000
MaxResultSetSize
262144
MaxNotificationPerConn
5
ldap policy: set maxpagesize to ##### (for example, 50000)
ldap policy: commit changes
ldap policy: q
ntdsutil: q
Disconnecting from SERVERNAME ...
Now, that is only a workaround since you can always exceed that hard
defined limit. It is also a performance hit if you are doing large
queries with results that aren't paged (i.e. returning 50000 results is a
big task).
Active Directory supports the Simple Page Control
(1.2.840.113556.1.4.319) as defined by RFC 2696
(http://www.faqs.org/rfcs/rfc2696.html)
and I believe all ADSI API queries will automatically page data for you -
conventional LDAP queries will have to use the control mechanism and page
appropriately (using ldap_search_ext).
Hope that helps,
- Nick
--
______________________________________________
Nicholas Oddson
Senior Technical Architect
Global Services Division, Open Text Corporation
410 Albert Street
Waterloo, ON, N2L 3V3
Phone:519-888-7111 ext.2435
Fax: 519-888-6737
www.opentext.com
At 03:38 PM 27/06/2002, you wrote:
Yes, I tried using "-z
1010", but still had the 1,000
response limit. I am pretty sure that it is an AD
limit. But isn't ldapsearch supposed to use paged
queries?
Also, do any potential hazards pop into your head in
regards to the code changes I made?
Thanks,
Dave
--- Howard Chu <hyc@highlandsun.com> wrote:
> Did you try the "-z sizelimit" option to ldapsearch?
> If you already tried
> this,
> then you are running into a limit that was
> configured on AD.
>
> -- Howard Chu
> Chief Architect, Symas
Corp. Director,
> Highland Sun
>
http://www.symas.com
>
http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> >
[mailto:owner-openldap-software@OpenLDAP.org]On
> Behalf Of Dave Snoopy
> > Sent: Thursday, June 27, 2002 12:13 PM
> > To: openldap
> > Subject: Win2K AD queries with large responses
> >
> >
> > A while ago I posted a problem I was having, in
> which
> > Kerberized queries against a Win2K AD server would
> > fail when the result was very large (e.g. a query
> for
> > all users when there were over 1,000 users).
> Someone
> > else posted that the reason for this was because
> > Windows was likely breaking a negotiated buffer
> size.
> > I am using OpenLDAP 2.1.2, with Cyrus-SASL 2.1.4,
> and
> > Heimdal Kerberos 0.4e.
> >
> > Well, after some detective work, I've found out
> how to
> > get around this problem to an extent. However,
> this
> > "solution" is not a real one, and hopefully may
> just
> > point someone in the right direction towards
> solving
> > this problem correctly.
> >
> > First off, I modified the following #define in the
> > OpenLDAP code:
> >
> > in libraries/liblber/sockbuf.c:
> > #define LBER_MAX_BUFF_SIZE 262144
> >
> > I had also *originally* changed the #define below,
> but
> > later found that changing it did not make any
> > difference, and so later changed it back to its
> > original value of 65535:
> >
> > in libraries/libldap/ldap-int.h:
> > #define SASL_MAX_BUF_SIZE 262144
> >
> >
> > Finally, I changed one if-statement in my
> Cyrus-SASL
> > code (and then recompiled my library). In the file
> > plugins/gssapi.c, I commented out the following
> check
> > in the function "gssapi_decode_once":
> >
> > if (text->size > 0xFFFF ||
text->size <= 0) {
> > SETERROR(text->utils,
"Illegal size in
> > sasl_gss_decode_once");
> > return SASL_FAIL;
> > }
> >
> > So all in all, I only made 2 changes (one to the
> > OpenLDAP source, and one to the Cyrus source).
> Both
> > seem to be needed.
> >
> > Before making the changes to the Cyrus code, the
> above
> > check was failing because the value of text->size
> was
> > equal to 158504 bytes. My guess is that this
> number is
> > the size of the response from the server.
> >
> > With these changes, my query works well enough for
> up
> > to exactly 1000 responses. As soon as I exceed
> this
> > number (e.g. by adding another user to my PDC), my
> > ldapsearch runs fine, but gives this output at the
> > end:
> >
> > # search result
> > search: 5
> > result: 4 Size limit exceeded
> >
> > # numResponses: 1002
> > # numEntries: 1000
> > # numReferences: 1
> >
> > "size limit exceeded" is a server error, and
not
> due
> > to a lack of buffer space on my local machine. I
> know
> > this because I got the same results, even when I
> > requested fewer attributes in my query (which
> means
> > less data).
> >
> > So it seems that beyond 1000 responses, Windows
> > doesn't want to send back any more responses. But
> > obviously this works for Windows to Windows LDAP
> > queries, so some kind of secondary request for
> more
> > responses must be available. Does OpenLDAP have
> some
> > kind of paged query support that should be kicking
> in
> > for this? Does anyone have any advice or comments
> > about what I've discovered? Any help from you LDAP
> or
> > AD experts would be of tremendous value.
> >
> > --Dave
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! - Official partner of 2002 FIFA World Cup
> >
http://fifaworldcup.yahoo.com
>
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com