From: Francis Cianfrocca [mailto:garbagecat10@gmail.com]
Sent: Tuesday, May 30, 2006 4:16 PM
To: ruby-talk ML
Subject: Search-result referrals in Net::LDAP
All, I received an email from a gentleman who had a problem
using Net::LDAP (library at Rubyforge) to query an Active
Directory (A/D) server. He got the following error message:
This happens because many A/D servers are configured to
return what LDAP calls "Search-result referrals"- an
additional LDAP URL that you are encouraged to query in order
to get additional relevant results. The Net::LDAP library was
not supporting this result-type. I'm in the process of adding
it in now and will produce a patch shortly. Has anyone else
encountered this problem?
Another problem you are likely to see when querying A/D is
that you can't get back more than 1000 results no matter what
you try.
Would you blame a company that has, say, 40,000 employees for
implementing this?
This is due to an "LDAP control" that A/D uses to
prevent large queries. This has already been fixed in the
HEAD revision of Net::LDAP.
Could you please elaborate on what you mean in this context by "fixed"?
Thanks,
Dan
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
···
-----Original Message-----
Dan, I think you're talking about the search-size limitation in A/D rather
than the search-result referral issue.
A/D, for whatever reason, won't return more than 1000 search results in one
shot. You'll hit this limitation if you use standard command-line LDAP
tools, or the native C++ libraries, or version 0.0.1 of Net::LDAP. Microsoft
uses what LDAPv3 calls a "control," basically some extra-standard syntax to
create what they call "paged requests." If you really have nothing better to
do with your life, read RFC 2696 for the gory details (and note the authors
of the RFC :-)). The current HEAD revision of Net::LDAP properly supports
RFC 2696 so it transparently handles queries from A/D that have >1000
entries.
Considering that I run LDAP servers that regularly return a few hundred
thousand search-entries in one query, and take less than a second to do so
while processing other queries simultaneously, you'd think Microsoft would
be able to write a stronger directory server. But I guess they know their
own capabilities better than I do.
···
On 5/30/06, Berger, Daniel <Daniel.Berger@qwest.com> wrote:
> -----Original Message-----
> From: Francis Cianfrocca [mailto:garbagecat10@gmail.com]
> Sent: Tuesday, May 30, 2006 4:16 PM
> To: ruby-talk ML
> Subject: Search-result referrals in Net::LDAP
>
> All, I received an email from a gentleman who had a problem
> using Net::LDAP (library at Rubyforge) to query an Active
> Directory (A/D) server. He got the following error message:
>
> This happens because many A/D servers are configured to
> return what LDAP calls "Search-result referrals"- an
> additional LDAP URL that you are encouraged to query in order
> to get additional relevant results. The Net::LDAP library was
> not supporting this result-type. I'm in the process of adding
> it in now and will produce a patch shortly. Has anyone else
> encountered this problem?
>
> Another problem you are likely to see when querying A/D is
> that you can't get back more than 1000 results no matter what
> you try.
Would you blame a company that has, say, 40,000 employees for
implementing this?
> This is due to an "LDAP control" that A/D uses to
> prevent large queries. This has already been fixed in the
> HEAD revision of Net::LDAP.
Could you please elaborate on what you mean in this context by "fixed"?
Thanks,
Dan
This communication is the property of Qwest and may contain confidential
or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.