Active Directory is the only directory server I know of that supports or demands the use of ranged attributes. They're mostly sensible to use when: * you are fetching only one or a few objects * you know in advance which attributes might have a great profusion of multivalues
For example, if you query for the "member" attribute on a very large group, AD will only give you the first 1,500 values as per the MaxValRange LDAP policy, *without any indication that there are more values*. Instead, one must explicitly ask for the attribute description "member;range=0-5000" or the like, and then examine every attribute name in the LDAP response message to see if it indicates something like "member;range=0-1499", to see what range of values the directory server was actually willing to provide--then issue additional search requests to fetch the rest of the values until you can infer from the response message that all the values have been exhausted (you'll see "member;range=3000-*" at that point). All these searches are non-transactional, and it is probably safe to say the end result is "undefined" if the group should change between requests for chunks of the membership list. Personally I like and use the OpenLDAP tools often, as part of Cygwin; "ZLdapSearch" is mostly helpful if you've some other requirement to stick to .NET (such as the added safety of managed code), or want to use Windows authentication methods. --Steve On Thu, Mar 22, 2012 at 8:59 AM, Michael B. Smith <[email protected]> wrote: > LDAP directories have limits on the size of results that they will return. > Consider a group with a million members. It could consume all of your > available memory to return the result from the LDAP database. That isn't > desirable. > > So, instead, there is a limit on the number of results returned in single API > call. Typically around 1K. So, when using the API itself, you first request > values 0-999, then 1000-1999, etc. Part of the result tells you whether or > not there are more values to be requested. This API limit is hidden from you > by many command line tools like dsquery, adfind, etc. (although all of them > do have limits on the number of results that they will return, without > setting some specific argument). > > Not to minimize Steve's contribution (it's great!), but there is a fairly > recent port of OpenLDAP for Windows available at > http://www.userbooster.de/en/download/openldap-for-windows.aspx that includes > ldapsearch. > > -----Original Message----- > From: Guyer, Donald [mailto:[email protected]] > Sent: Thursday, March 22, 2012 8:48 AM > To: NT System Admin Issues > Subject: RE: "ldapsearch" for Windows > > This looks cool but, what does this mean? > > " Note: this program does not currently attempt to fetch range-based > attributes, such as AD groups with over 1,000 members." > > Regards, > > Don Guyer > Directory and Messaging Services > Catholic Health East, ITSS > > > -----Original Message----- > From: Steve Kradel [mailto:[email protected]] > Sent: Wednesday, March 21, 2012 6:15 PM > To: NT System Admin Issues > Subject: "ldapsearch" for Windows > > Cross-posting this from the ActiveDir list: this tool may be of interest to > folks with non-AD directories, maybe you just don't like ldifde, or want to > pipe LDIF from stdout to another program. > > I went ahead and knocked out a quick and dirty .NET LdapSearch. > Source code is on GitHub: https://github.com/skradel/Zetetic.Ldap > > Here's a binary build: > http://dl.dropbox.com/u/1742256/Zetetic.Ldap/ZLdapSearch_1.0.zip > > It is certainly no competitor for AdFind, but it is: > * open source > * plain old .NET 2 > * LDAP v3 directory agnostic > * a producer of carefully-managed LDIF output to handle binary values, long > strings, and non-7-bit-ASCII characters properly. > > I might wrangle around the commandline options if there's interest to make it > more of a drop-in replacement for ldapsearch, but it is pretty close as it > stands. > > Note: this program does not currently attempt to fetch range-based > attributes, such as AD groups with over 1,000 members. > > It *does* support (but does not require) paging on directory servers that > support it. > > Insert standard "free software, no warranty, provided in hopes you will find > it useful" disclaimer here. > > --Steve > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > Confidentiality Notice: > This e-mail, including any attachments is the property of Catholic Health > East and is intended for the sole use of the intended recipient(s). > It may contain information that is privileged and confidential. Any > unauthorized review, use, disclosure, or distribution is prohibited. If you > are not the intended recipient, please delete this message, and reply to the > sender regarding the error in a separate email. > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
