RE: Net::LDAP search - active directory not returning member list for large group

Don C. Miller Tue, 12 Dec 2006 09:46:12 -0800

Megan, when I was doing testing with this I noticed there was some type
of caching occuring with the requests.  I waited a while and since then
I have been able to use the member;Range=0-* for every size group (use
it in both the attr list and get_value).  It would be a good idea to
check for the existance of other ranges in the return set.


As for your comment on get_value("member").  This is where you want to
use "member;Range=0-999" when you have just "member" in the attribute
list, not vice versa.  If you use $entry->dump you will see what the
object contains in a nice readable form.

Don

use Net::LDAP;
my $ad_ldap = Net::LDAP->new('server');
my $error = $ad_ldap->bind('dn', password => 'pass');
my $group_search = undef;
$group_search = $ad_ldap->search(
  'base' => 'dc=contoso,dc=msft',
  'filter' => "(&(objectClass=group)(samaccountname=mygroup))",
  'attrs' => [ 'samaccountname', 'member;Range=0-*' ]
);
die if ($group_search->code);
print $group_search->entry(0)->dump;
my @members = $group_search->entry(0)->get_value('member;Range=0-*');
print $#members;
$ad_ldap->unbind;

-----Original Message-----
From: Megan Kielman [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 11, 2006 9:58 PM
To: Don C. Miller
Cc: Perl-LDAP Mailing List
Subject: Re: Net::LDAP search - active directory not returning member
list for large group

Don,

Thanks for the response.

First of all you mentioned that if you don't specify a range and the
group contains more then 1000 users, $entry->get_value("member") will
return 'member;Range=0-999', however, in my case it doesn't appear to
return anything becuase when I loop through the @members, it is empty.

I tried using ('member;Range=0-*') and I still got nothing.

I played around with the Range and specified an upper limit like 0-100
and 100 of the users were returned. This method will work for this
script because I am simply trying to determine if a group is empty,
however, I may want the ability to return all members of a group,
regardless of how many  members there are.

Thanks!


On 12/11/06, Don C. Miller <[EMAIL PROTECTED]> wrote:
> Megan, I hope everything is going well for you.  The trick for getting

> this to work is to request the attribute 'member;Range=0-*' and then 
> get_value('member;Range=0-*').  This should work on a group any size 
> although I haven't tested on enormous groups.  The 'Range' is case 
> sensitive when requesting the attr but not on get_value.  By default 
> if the group has more than 1000 users, and you don't specify a range, 
> it will return 'member;Range=0-999'.
>
> You can play with the range...but here is one thing to keep in mind.  
> If you use a value greater than the number of members it will return 
> the value as Range=0-*.  For instance, if I have a group with 1025 
> members here are the attributes I will get back:
> 'member' returns 'member;Range=0-999'
> 'member;Range=0-500' returns 'member;Range=0-500'
> 'member;Range=0-1500' returns 'member;Range=0-*' (1500 is greater than

> the 1025 members) 'member;Range=0-*' returns 'member;Range=0-*'
>
> Keep in mind you can use the dump method to output a quick "raw" view 
> of everything in the entry object.
>
> Don
>
> -----Original Message-----
> From: Graham Barr [mailto:[EMAIL PROTECTED]
> Sent: Monday, December 11, 2006 4:51 PM
> To: [EMAIL PROTECTED]
> Cc: Perl-LDAP Mailing List
> Subject: Fwd: Net::LDAP search
>
> Begin forwarded message:
> > From: "Megan Kielman" <[EMAIL PROTECTED]>
> > Date: December 11, 2006 5:41:02 PM CST
> > Subject: Net::LDAP search
> > Message-Id:
> > <[EMAIL PROTECTED]>
> >
> > Graham,
> >
> > I hope it is ok that I am emailing you. Anyway, I am searching for 
> > groups in AD and writing the contents of the "member" attribute to a

> > file. I have found there are cases when some groups are not 
> > returning the members, but when I look in AD, the group does in fact

> > have members.
> >
> > One thing that is common amongst these groups is that when viewing 
> > them via ADUC, the members all have gray hair which according to MS 
> > means that the group contains more then 500 members.
> >
> > here is a sample of my code:
> >
> > my $ldap = Net::LDAPS->new($addr) or die "$@"; my $login = 
> > $ldap->bind($user, password=> $pass); my @srcargs1 = (
> >                                base            => $path,
> >                                scope           => "sub",
> >                                filter          => "(sAMAccountName=
> > $group)",
> >                                attrs           => ['member', 'name',
> > 'description', 'managedBy', 'createTimeStamp', 'modifyTimeStamp'],
> >                                control         => [ $page ],
> >                        );
> >                $search = $ldap->search(@srcargs1);
> > foreach $entry ($search->entries)       {
> >                                @members =
$entry->get_value("member");
> >                                 unless (scalar(@members))       {
> >                                        &getempty($entry);
> >                                        $count++;
> >                                }else{
> >                                        print "$group is not
empty\n";
> >                                }
> > }
> >
>
>
>

RE: Net::LDAP search - active directory not returning member list for large group

Reply via email to