Glenn,
I was able to get the first pass of group members 0-1499, however,
when I attempt to make the subsequent query, 1500 - 2999, it fails,
then it tries 1500-* and fails as well. I am basically using the same
code you have below I have confirmed that the group has more them 1500
members.
unless (@members) {
$size = 1500;
$first = 0;
while (1) {
$last = $first + $size -1;
@tmp =
$entry->get_value("member;Range=${first}-${last}");
unless (@tmp) {
@tmp =
$entry->get_value("member;Range=${first}-*");
unless (@tmp) {
last;
}
}
push @members, @tmp;
$first += $size;
}
}
On 12/11/06, Glenn Lamb <[EMAIL PROTECTED]> wrote:
I got around this with a bit of a kludge: I first query the member
attribute with no range. If nothing is returned, I set up a loop to
query each range (of 1000 which is the limit our AD is set to return,
but can easily be modified). It first queries 0-999, then 1000-1999,
and so on. Say the group only had 1500 members, then the 1000-1999
query would fail. It tries again with 1000-*. When the loop tries
all these queries and still gets 0, it's done and lasts out...
I'm not sure if this code works perfectly below since I had to translate
it from what I'm really using. Let me know if you have any problems
with it:
$size = 1000;
@members = $entry->get_value("member");
if (@members == 0) {
$first = 0;
while(1) {
$last = $first + $size - 1;
@tmp = $entry->get_value("member;range=${first}-${last}");
@tmp = $entry->get_value("member;range=${first}-*") if @tmp
== 0;
last if @tmp == 0;
push @members, @tmp;
$first += $size;
}
}
printf "Group has %d members", scalar @members;
On Dec 11, 2006, at 9:57 PM, Megan Kielman wrote:
> Don,
>
> Thanks for the response.
>
> First of all you mentioned that if you don't specify a range and the
> group contains more then 1000 users, $entry->get_value("member") will
> return 'member;Range=0-999', however, in my case it doesn't appear to
> return anything becuase when I loop through the @members, it is empty.
>
> I tried using ('member;Range=0-*') and I still got nothing.
>
> I played around with the Range and specified an upper limit like 0-100
> and 100 of the users were returned. This method will work for this
> script because I am simply trying to determine if a group is empty,
> however, I may want the ability to return all members of a group,
> regardless of how many members there are.
>
> Thanks!
>
>
> On 12/11/06, Don C. Miller <[EMAIL PROTECTED]> wrote:
>> Megan, I hope everything is going well for you. The trick for
>> getting
>> this to work is to request the attribute 'member;Range=0-*' and then
>> get_value('member;Range=0-*'). This should work on a group any size
>> although I haven't tested on enormous groups. The 'Range' is case
>> sensitive when requesting the attr but not on get_value. By
>> default if
>> the group has more than 1000 users, and you don't specify a range, it
>> will return 'member;Range=0-999'.
>>
>> You can play with the range...but here is one thing to keep in
>> mind. If
>> you use a value greater than the number of members it will return the
>> value as Range=0-*. For instance, if I have a group with 1025
>> members
>> here are the attributes I will get back:
>> 'member' returns 'member;Range=0-999'
>> 'member;Range=0-500' returns 'member;Range=0-500'
>> 'member;Range=0-1500' returns 'member;Range=0-*' (1500 is greater
>> than
>> the 1025 members)
>> 'member;Range=0-*' returns 'member;Range=0-*'
>>
>> Keep in mind you can use the dump method to output a quick "raw"
>> view of
>> everything in the entry object.
>>
>> Don
>>
>> -----Original Message-----
>> From: Graham Barr [mailto:[EMAIL PROTECTED]
>> Sent: Monday, December 11, 2006 4:51 PM
>> To: [EMAIL PROTECTED]
>> Cc: Perl-LDAP Mailing List
>> Subject: Fwd: Net::LDAP search
>>
>> Begin forwarded message:
>> > From: "Megan Kielman" <[EMAIL PROTECTED]>
>> > Date: December 11, 2006 5:41:02 PM CST
>> > Subject: Net::LDAP search
>> > Message-Id:
>> > <[EMAIL PROTECTED]>
>> >
>> > Graham,
>> >
>> > I hope it is ok that I am emailing you. Anyway, I am searching for
>> > groups in AD and writing the contents of the "member" attribute
>> to a
>> > file. I have found there are cases when some groups are not
>> returning
>> > the members, but when I look in AD, the group does in fact have
>> > members.
>> >
>> > One thing that is common amongst these groups is that when viewing
>> > them via ADUC, the members all have gray hair which according to MS
>> > means that the group contains more then 500 members.
>> >
>> > here is a sample of my code:
>> >
>> > my $ldap = Net::LDAPS->new($addr) or die "$@"; my $login =
>> > $ldap->bind($user, password=> $pass); my @srcargs1 = (
>> > base => $path,
>> > scope => "sub",
>> > filter => "(sAMAccountName=
>> > $group)",
>> > attrs => ['member',
>> 'name',
>> > 'description', 'managedBy', 'createTimeStamp', 'modifyTimeStamp'],
>> > control => [ $page ],
>> > );
>> > $search = $ldap->search(@srcargs1);
>> > foreach $entry ($search->entries) {
>> > @members = $entry->get_value
>> ("member");
>> > unless (scalar(@members)) {
>> > &getempty($entry);
>> > $count++;
>> > }else{
>> > print "$group is not empty
>> \n";
>> > }
>> > }
>> >
>>
>>
>>
--
Glenn Lamb
Systems Administrator
[EMAIL PROTECTED]
http://www.stanford.edu/~glamb/gpg.txt
CE4B 7186 D8FD 317F 8364 12CD 02BB ED17 F3E8 555C
