Christopher Paul wrote: > Hello OpenLDAP-Technical, > > I am testing the dirSync replication. I am trying to replicate Active > Directory (Windows Server 2019) -> OpenLDAP 2.5.12 from > symas-openldap-servers-2.5.12-1.el8.x86_64 RPM on RedHat 8.6. Group members > are not replicating, and I am seeing this error: > > syncrepl_dirsync_message: rid=999 unknown attributeType member;range=1-1 > > In this case, "member" is a recognized attribute per "core.schema" and is not > a problem unless sent with the range indicator, which seems not to be part of > the protocol but rather be an AD "embellishment". Those responsible for AD > call this "Searching Using Range Retrieval" if you care to look it up. > > I guess has this default now of 1500 max values for an LDAP response, and it > will indicate that the attribute has greater than this number of values by > sending "member;range=0-1499" instead of "member" as the attribute type in > the result data if there are more than 1500 values, and subsequently, if the > amount is greater than 3000, "member;range=1500-2999", etc. > > I also observed (using packet capture) that when using the dirSync control, > all groups are sent with this range notation, even if below the limit, even > if just one member, Windows Server 2019 AD DS sends a PartialAttributeList of > type "member;range=1-1". Although using ldapsearch without the control only > will send the range notation if the number of member values is greater than > the 1500 limit. > > So I am wondering if anyone else has seen this? Am I doing something wrong or > is this a bug? What version of Windows was the dirSync syncrepl functionality > developed to work with and/or tested with?
No bug. Use the attributeoptions config directive to define range= as a valid attribute option. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
