RE: Net::LDAP search - active directory not returning member list for large group

Mon, 11 Dec 2006 18:58:00 -0800 

Megan, I hope everything is going well for you.  The trick for getting
this to work is to request the attribute 'member;Range=0-*' and then
get_value('member;Range=0-*').  This should work on a group any size
although I haven't tested on enormous groups.  The 'Range' is case
sensitive when requesting the attr but not on get_value.  By default if
the group has more than 1000 users, and you don't specify a range, it
will return 'member;Range=0-999'.

You can play with the range...but here is one thing to keep in mind.  If
you use a value greater than the number of members it will return the
value as Range=0-*.  For instance, if I have a group with 1025 members
here are the attributes I will get back:
'member' returns 'member;Range=0-999'
'member;Range=0-500' returns 'member;Range=0-500'
'member;Range=0-1500' returns 'member;Range=0-*' (1500 is greater than
the 1025 members)
'member;Range=0-*' returns 'member;Range=0-*'

Keep in mind you can use the dump method to output a quick "raw" view of
everything in the entry object.

Don

-----Original Message-----
From: Graham Barr [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 11, 2006 4:51 PM
To: [EMAIL PROTECTED]
Cc: Perl-LDAP Mailing List
Subject: Fwd: Net::LDAP search

Begin forwarded message:
> From: "Megan Kielman" <[EMAIL PROTECTED]>
> Date: December 11, 2006 5:41:02 PM CST
> Subject: Net::LDAP search
> Message-Id:  
> <[EMAIL PROTECTED]>
>
> Graham,
>
> I hope it is ok that I am emailing you. Anyway, I am searching for 
> groups in AD and writing the contents of the "member" attribute to a 
> file. I have found there are cases when some groups are not returning 
> the members, but when I look in AD, the group does in fact have 
> members.
>
> One thing that is common amongst these groups is that when viewing 
> them via ADUC, the members all have gray hair which according to MS 
> means that the group contains more then 500 members.
>
> here is a sample of my code:
>
> my $ldap = Net::LDAPS->new($addr) or die "$@"; my $login = 
> $ldap->bind($user, password=> $pass); my @srcargs1 = (
>                                base            => $path,
>                                scope           => "sub",
>                                filter          => "(sAMAccountName= 
> $group)",
>                                attrs           => ['member', 'name',
> 'description', 'managedBy', 'createTimeStamp', 'modifyTimeStamp'],
>                                control         => [ $page ],
>                        );
>                $search = $ldap->search(@srcargs1);
> foreach $entry ($search->entries)       {
>                                @members = $entry->get_value("member");
>                                 unless (scalar(@members))       {
>                                        &getempty($entry);
>                                        $count++;
>                                }else{
>                                        print "$group is not empty\n";
>                                }
> }
>

Reply via email to