Re: Net::LDAP search - active directory not returning member list for large group

Wed, 13 Dec 2006 08:03:09 -0800 

Don,

That dawned on me last night! I think I have one last questions
regarding the '*'. Is that considered a wildcard?

Since I cannot request a range that exceeds the number of users, and
the wild card apparently doesn't work for me, is the best way to
handle it to continue to request a smaller range until I hit the exact
number of users? If that is the case, it seems like I would be
storming the DC with requests.

On 12/13/06, Don C. Miller <[EMAIL PROTECTED]> wrote:

Megan, a search will only return one range.  You need to do a separate
search for each loop of your code requesting each different range until
you hit *.

Don

-----Original Message-----
From: Megan Kielman [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 12, 2006 3:01 PM
To: Don C. Miller
Cc: Perl-LDAP Mailing List
Subject: Re: Net::LDAP search - active directory not returning member
list for large group

Don,

I can't seem to get Range=0-* to return anything. The best I have been
able to do is query Range=0-1499, or another combination that is less
then the total number of members (1658).

I did try $entry->dump which did show me all the attributes of that
objects but I really need a way to recursively query AD until I get all
members of the groups. My email to Glenn and the list shows the code I
am using. but just in case:

unless (@members)       {
                        $size = 1500;
                        $first = 0;
                        while (1)       {
                                $last = $first + $size -1;
                                @tmp =
$entry->get_value("member;Range=${first}-${last}");
                                unless (@tmp)   {
                                        @tmp =
$entry->get_value("member;Range=${first}-*");
                                        unless (@tmp)   {
                                                last;
                                        }
                                }
                                push @members, @tmp;
                                $first += $size;
                        }
                }




This is getting frustrating...

On 12/12/06, Don C. Miller <[EMAIL PROTECTED]> wrote:
> Megan, when I was doing testing with this I noticed there was some
> type of caching occuring with the requests.  I waited a while and
> since then I have been able to use the member;Range=0-* for every size

> group (use it in both the attr list and get_value).  It would be a
> good idea to check for the existance of other ranges in the return
set.
>
> As for your comment on get_value("member").  This is where you want to

> use "member;Range=0-999" when you have just "member" in the attribute
> list, not vice versa.  If you use $entry->dump you will see what the
> object contains in a nice readable form.
>
> Don
>
> use Net::LDAP;
> my $ad_ldap = Net::LDAP->new('server'); my $error =
> $ad_ldap->bind('dn', password => 'pass'); my $group_search = undef;
> $group_search = $ad_ldap->search(
>   'base' => 'dc=contoso,dc=msft',
>   'filter' => "(&(objectClass=group)(samaccountname=mygroup))",
>   'attrs' => [ 'samaccountname', 'member;Range=0-*' ] ); die if
> ($group_search->code); print $group_search->entry(0)->dump; my
> @members = $group_search->entry(0)->get_value('member;Range=0-*');
> print $#members;
> $ad_ldap->unbind;
>
> -----Original Message-----
> From: Megan Kielman [mailto:[EMAIL PROTECTED]
> Sent: Monday, December 11, 2006 9:58 PM
> To: Don C. Miller
> Cc: Perl-LDAP Mailing List
> Subject: Re: Net::LDAP search - active directory not returning member
> list for large group
>
> Don,
>
> Thanks for the response.
>
> First of all you mentioned that if you don't specify a range and the
> group contains more then 1000 users, $entry->get_value("member") will
> return 'member;Range=0-999', however, in my case it doesn't appear to
> return anything becuase when I loop through the @members, it is empty.
>
> I tried using ('member;Range=0-*') and I still got nothing.
>
> I played around with the Range and specified an upper limit like 0-100

> and 100 of the users were returned. This method will work for this
> script because I am simply trying to determine if a group is empty,
> however, I may want the ability to return all members of a group,
> regardless of how many  members there are.
>
> Thanks!
>
>
> On 12/11/06, Don C. Miller <[EMAIL PROTECTED]> wrote:
> > Megan, I hope everything is going well for you.  The trick for
> > getting
>
> > this to work is to request the attribute 'member;Range=0-*' and then

> > get_value('member;Range=0-*').  This should work on a group any size

> > although I haven't tested on enormous groups.  The 'Range' is case
> > sensitive when requesting the attr but not on get_value.  By default

> > if the group has more than 1000 users, and you don't specify a
> > range, it will return 'member;Range=0-999'.
> >
> > You can play with the range...but here is one thing to keep in mind.
> > If you use a value greater than the number of members it will return

> > the value as Range=0-*.  For instance, if I have a group with 1025
> > members here are the attributes I will get back:
> > 'member' returns 'member;Range=0-999'
> > 'member;Range=0-500' returns 'member;Range=0-500'
> > 'member;Range=0-1500' returns 'member;Range=0-*' (1500 is greater
> > than
>
> > the 1025 members) 'member;Range=0-*' returns 'member;Range=0-*'
> >
> > Keep in mind you can use the dump method to output a quick "raw"
> > view of everything in the entry object.
> >
> > Don
> >
> > -----Original Message-----
> > From: Graham Barr [mailto:[EMAIL PROTECTED]
> > Sent: Monday, December 11, 2006 4:51 PM
> > To: [EMAIL PROTECTED]
> > Cc: Perl-LDAP Mailing List
> > Subject: Fwd: Net::LDAP search
> >
> > Begin forwarded message:
> > > From: "Megan Kielman" <[EMAIL PROTECTED]>
> > > Date: December 11, 2006 5:41:02 PM CST
> > > Subject: Net::LDAP search
> > > Message-Id:
> > > <[EMAIL PROTECTED]>
> > >
> > > Graham,
> > >
> > > I hope it is ok that I am emailing you. Anyway, I am searching for

> > > groups in AD and writing the contents of the "member" attribute to

> > > a
>
> > > file. I have found there are cases when some groups are not
> > > returning the members, but when I look in AD, the group does in
> > > fact
>
> > > have members.
> > >
> > > One thing that is common amongst these groups is that when viewing

> > > them via ADUC, the members all have gray hair which according to
> > > MS means that the group contains more then 500 members.
> > >
> > > here is a sample of my code:
> > >
> > > my $ldap = Net::LDAPS->new($addr) or die "$@"; my $login =
> > > $ldap->bind($user, password=> $pass); my @srcargs1 = (
> > >                                base            => $path,
> > >                                scope           => "sub",
> > >                                filter          =>
"(sAMAccountName=
> > > $group)",
> > >                                attrs           => ['member',
'name',
> > > 'description', 'managedBy', 'createTimeStamp', 'modifyTimeStamp'],
> > >                                control         => [ $page ],
> > >                        );
> > >                $search = $ldap->search(@srcargs1);
> > > foreach $entry ($search->entries)       {
> > >                                @members =
> $entry->get_value("member");
> > >                                 unless (scalar(@members))       {
> > >                                        &getempty($entry);
> > >                                        $count++;
> > >                                }else{
> > >                                        print "$group is not
> empty\n";
> > >                                }
> > > }
> > >
> >
> >
> >
>
>

Reply via email to