cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Microsoft AD: Reading member attribute of large group

Former Member

on ‎04-10-2012 8:10 AM

0 Kudos

Hi everybody,

I'm currently facing a problem reading group membership (attribute member) of large AD groups using the "From LDAP directory" pass. I know that there is a limitation on AD (maxValRange property in AD) which controls how many values are returned for one attribute when querying one entry. I also know, that it is possible to overcome this issue using SearchControls (e.g. ({"member;Range=1499-*"}) and increase this value in a loop).

Please be aware that this is NOT the "directory page size" in the pass configuraton, which has impact on the number of search results returned on one query.oes the default "From LDAP directory" pass support this kind of iteration?

Regards
Matthias Bartel

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎04-17-2012 5:25 PM
0 Kudos

Hi Matt,

I'm not trying to query a subset of groups. I'm trying to query for exactly one group and read the attribute "member" of this group. That means, that I have mapped the attribute "member" in the Destination tab of the LDAP pass. As I mentioned above, there is a limitation on how many values are returned for one multivalue attribute. The question is now, if there is a possibility to overcome this limitation using the standard FromLDAP pass?

Show replies
Show replies
Former Member
‎04-17-2012 11:19 PM
0 Kudos

Hi Matthias,

You may have already tried this, but did you try putting the line you specified above

     "using SearchControls (e.g. ({"member;Range=1499-*"}) and increase this value in a loop)"

into the LDAP repository search criteria?  There are 2 standard filters, 1 for users and 1 for groups.  What would happen if you put that in those fields.

former_member2987
Active Contributor
‎04-18-2012 2:23 PM
0 Kudos

As Chris has said, you should be able to do this with some standard LDAP syntax.  You'll probably have to look into how paging is setup on the AD server.  It's possible you might need to set up VDS as an intermediary to help simplify the query as well.  Take a look at the VDS AD/LDAP tutorial for more information on setting this up. Once it's set you can set specific starting points in the VDS configuration that correspond to what you need to return.

Matt

former_member2987
Active Contributor
‎04-10-2012 3:31 PM
0 Kudos

Matthias,

I'm not quite sure what you're trying to ask here?  The FromLDAP pass allows filtering using standard LDAP syntax. Can you query the subset of groups that way?

Matt

Show replies
Show replies
Ask a Question