Re: ldap_get_values returns NULL when attribute got more then 1000 values.

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 07:36 AM 4/7/2004, Hagai Yaffe wrote:
>        I am using the OpenLDAP API version 2.1.22 to get data from windows Active Directory, I am using the "memberOf" attribute to get all the groups a user is assigned to in the Active Directory, for a user who has less then a 1000 groups I have no problem, but for a user who is member off more then 1000 groups the ldap_get_values function returns NULL. 
>
>After a little snooping around I have discovered that for a user who is member off more then a 1000 groups the Active Directory server sends only a 1000 groups, it also sends an header to inform the client of this, the header looks like this : 
>
>.memberOf1.....0.......memberOf;range=0-999

That appears to violate the LDAP technical specification.  Per
RFC 2251 (section 4.1.5), Attribute options cannot contain the
"=" character. 

>It looks like the OpenLDAP API code is not ready to handle this header,

We could detect the protocol error, I guess.  But that seems less than
useful.

>My question is if this is a bug in the OpenLDAP API code or a miss behavior by the Active Directory server ?

See RFC 2251.

>any help / ideas on the subject would be greate.

I suggest you file a report bug with Microsoft.