I got around this with a bit of a kludge: I first query the member
attribute with no range. If nothing is returned, I set up a loop to
query each range (of 1000 which is the limit our AD is set to return,
but can easily be modified). It first queries 0-999, then 1000-1999,
and so on. Say the group only had 1500 members, then the 1000-1999
query would fail. It tries again with 1000-*. When the loop tries
all these queries and still gets 0, it's done and lasts out...
I'm not sure if this code works perfectly below since I had to translate
it from what I'm really using. Let me know if you have any problems
with it:
$size = 1000;
@members = $entry->get_value("member");
if (@members == 0) {
$first = 0;
while(1) {
$last = $first + $size - 1;
@tmp = $entry->get_value("member;range=${first}-${last}");
@tmp = $entry->get_value("member;range=${first}-*") if @tmp
== 0;
last if @tmp == 0;
push @members, @tmp;
$first += $size;
}
}
printf "Group has %d members", scalar @members;
On Dec 11, 2006, at 9:57 PM, Megan Kielman wrote:
Don,
Thanks for the response.
First of all you mentioned that if you don't specify a range and the
group contains more then 1000 users, $entry->get_value("member") will
return 'member;Range=0-999', however, in my case it doesn't appear to
return anything becuase when I loop through the @members, it is empty.
I tried using ('member;Range=0-*') and I still got nothing.
I played around with the Range and specified an upper limit like 0-100
and 100 of the users were returned. This method will work for this
script because I am simply trying to determine if a group is empty,
however, I may want the ability to return all members of a group,
regardless of how many members there are.
Thanks!
On 12/11/06, Don C. Miller <[EMAIL PROTECTED]> wrote:
Megan, I hope everything is going well for you. The trick for
getting
this to work is to request the attribute 'member;Range=0-*' and then
get_value('member;Range=0-*'). This should work on a group any size
although I haven't tested on enormous groups. The 'Range' is case
sensitive when requesting the attr but not on get_value. By
default if
the group has more than 1000 users, and you don't specify a range, it
will return 'member;Range=0-999'.
You can play with the range...but here is one thing to keep in
mind. If
you use a value greater than the number of members it will return the
value as Range=0-*. For instance, if I have a group with 1025
members
here are the attributes I will get back:
'member' returns 'member;Range=0-999'
'member;Range=0-500' returns 'member;Range=0-500'
'member;Range=0-1500' returns 'member;Range=0-*' (1500 is greater
than
the 1025 members)
'member;Range=0-*' returns 'member;Range=0-*'
Keep in mind you can use the dump method to output a quick "raw"
view of
everything in the entry object.
Don
-----Original Message-----
From: Graham Barr [mailto:[EMAIL PROTECTED]
Sent: Monday, December 11, 2006 4:51 PM
To: [EMAIL PROTECTED]
Cc: Perl-LDAP Mailing List
Subject: Fwd: Net::LDAP search
Begin forwarded message:
> From: "Megan Kielman" <[EMAIL PROTECTED]>
> Date: December 11, 2006 5:41:02 PM CST
> Subject: Net::LDAP search
> Message-Id:
> <[EMAIL PROTECTED]>
>
> Graham,
>
> I hope it is ok that I am emailing you. Anyway, I am searching for
> groups in AD and writing the contents of the "member" attribute
to a
> file. I have found there are cases when some groups are not
returning
> the members, but when I look in AD, the group does in fact have
> members.
>
> One thing that is common amongst these groups is that when viewing
> them via ADUC, the members all have gray hair which according to MS
> means that the group contains more then 500 members.
>
> here is a sample of my code:
>
> my $ldap = Net::LDAPS->new($addr) or die "$@"; my $login =
> $ldap->bind($user, password=> $pass); my @srcargs1 = (
> base => $path,
> scope => "sub",
> filter => "(sAMAccountName=
> $group)",
> attrs => ['member',
'name',
> 'description', 'managedBy', 'createTimeStamp', 'modifyTimeStamp'],
> control => [ $page ],
> );
> $search = $ldap->search(@srcargs1);
> foreach $entry ($search->entries) {
> @members = $entry->get_value
("member");
> unless (scalar(@members)) {
> &getempty($entry);
> $count++;
> }else{
> print "$group is not empty
\n";
> }
> }
>
--
Glenn Lamb
Systems Administrator
[EMAIL PROTECTED]
http://www.stanford.edu/~glamb/gpg.txt
CE4B 7186 D8FD 317F 8364 12CD 02BB ED17 F3E8 555C
