On Apr 16, 2008, at 7:58 AM, [EMAIL PROTECTED] wrote: > Full_Name: Petter Reinholdtsen > Version: 2.1.30 > OS: Debian GNU/Linux Etch > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (2001:700:100:6:213:72ff:fe93:c639) > > > I ran into this problem when trying to use nss-ldapd with LDAP > from an Microsoft Active Directory server. The problem only appear > if there > are more than 1500 members in a group. When there are fewer than > 1500 members, > the result from the LDAP server look like this: > > member: CN=user1,OU=Elever,OU=ULS,OU=VG,OU=Skoler,DC=SKOLEN,DC=LOCAL > member: CN=user2,OU=Ansatte,OU=ULS,OU=VG,OU=Skoler,DC=SKOLEN,DC=LOCAL > > This is properly handled by ldap_get_values(), and the nss-ldapd > module work > properly. For groups with more than 1500 members, the result from > the LDAP > server > look like this: > > member;range=0-1499: > CN=user1,OU=Elever,OU=OVO,OU=VO,OU=Skoler,DC=SKOLEN,DC=LOCAL > member;range=0-1499: > CN=user2,OU=Ansatte,OU=OVO,OU=VO,OU=Skoler,DC=SKOLEN,DC=LOCAL > > This notation is not handled by ldap_get_values(), and it return > NULL, resulting > in > a group with zero members.
This is proper and well-intended behavior. You asked for values of returned under the attribute description "member", not the (invalid) attribute description "member;range=0-1499". Two attribute descriptions which share the same attribute type do not necessarily refer to the same attribute. > Is there a way to parse such "paged" attributes > using > the openldap library, and could ldag_get_values() be changed to > handle these? > > Is the range= notation legal LDAP notation? No. Attribute description options cannot contain equal signs. See RFC 4512. > I have been unable to find > information > about this in any RFC, but our resident LDAP expert mentioned that > it could be > according to some extention specification. Microsoft might offers some specification for this crap. But I note that it's an improper extension as extensions should be truly optional (per RFC 4521 and common sense). > Have not been able to find > information > about it. > > To get the rest of the members I have to ask for attribute > 'member;range=1500-*' > and > repeat this until the result show for example 'range=6000-*' to > indicate that > this is the last batch of members. If you want to implement this crap, you can do so without additional support from LDAP API. Use ldap_first/next_attribute API. -- Kurt
