Megan, with the 2000 AD environment I am testing against I can request
over the actual number of users in the group. The trouble is it will
return the wildcard when it is over. For instance, if I have a group
with 501 users here is what the loop requesting 250 users looks like:
member;Range=0-250 returns member;Range=0-250
member;Range=251-500 returns member;Range=251-500
member;Range=501-750 returns member;Range=501-*
You will need to always check for the ending wildcard which means you
have hit your limit and can exit the loop. To make it easy on yourself
for populating the @members array using what Graham suggested
->get_value('member', alloptions => 1) for each loop. Then use
->exists("member;Range=${first}-*") to determine if you are done.
Don
-----Original Message-----
From: Megan Kielman [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 13, 2006 8:02 AM
To: Don C. Miller
Cc: Perl-LDAP Mailing List
Subject: Re: Net::LDAP search - active directory not returning member
list for large group
Don,
That dawned on me last night! I think I have one last questions
regarding the '*'. Is that considered a wildcard?
Since I cannot request a range that exceeds the number of users, and the
wild card apparently doesn't work for me, is the best way to handle it
to continue to request a smaller range until I hit the exact number of
users? If that is the case, it seems like I would be storming the DC
with requests.
On 12/13/06, Don C. Miller <[EMAIL PROTECTED]> wrote:
> Megan, a search will only return one range. You need to do a separate
> search for each loop of your code requesting each different range
> until you hit *.
>
> Don
>
> -----Original Message-----
> From: Megan Kielman [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, December 12, 2006 3:01 PM
> To: Don C. Miller
> Cc: Perl-LDAP Mailing List
> Subject: Re: Net::LDAP search - active directory not returning member
> list for large group
>
> Don,
>
> I can't seem to get Range=0-* to return anything. The best I have been
> able to do is query Range=0-1499, or another combination that is less
> then the total number of members (1658).
>
> I did try $entry->dump which did show me all the attributes of that
> objects but I really need a way to recursively query AD until I get
> all members of the groups. My email to Glenn and the list shows the
> code I am using. but just in case:
>
> unless (@members) {
> $size = 1500;
> $first = 0;
> while (1) {
> $last = $first + $size -1;
> @tmp =
> $entry->get_value("member;Range=${first}-${last}");
> unless (@tmp) {
> @tmp =
> $entry->get_value("member;Range=${first}-*");
> unless (@tmp) {
> last;
> }
> }
> push @members, @tmp;
> $first += $size;
> }
> }
>
>
>
>
> This is getting frustrating...
>
> On 12/12/06, Don C. Miller <[EMAIL PROTECTED]> wrote:
> > Megan, when I was doing testing with this I noticed there was some
> > type of caching occuring with the requests. I waited a while and
> > since then I have been able to use the member;Range=0-* for every
> > size
>
> > group (use it in both the attr list and get_value). It would be a
> > good idea to check for the existance of other ranges in the return
> set.
> >
> > As for your comment on get_value("member"). This is where you want
> > to
>
> > use "member;Range=0-999" when you have just "member" in the
> > attribute list, not vice versa. If you use $entry->dump you will
> > see what the object contains in a nice readable form.
> >
> > Don
> >
> > use Net::LDAP;
> > my $ad_ldap = Net::LDAP->new('server'); my $error =
> > $ad_ldap->bind('dn', password => 'pass'); my $group_search = undef;
> > $group_search = $ad_ldap->search(
> > 'base' => 'dc=contoso,dc=msft',
> > 'filter' => "(&(objectClass=group)(samaccountname=mygroup))",
> > 'attrs' => [ 'samaccountname', 'member;Range=0-*' ] ); die if
> > ($group_search->code); print $group_search->entry(0)->dump; my
> > @members = $group_search->entry(0)->get_value('member;Range=0-*');
> > print $#members;
> > $ad_ldap->unbind;
> >
> > -----Original Message-----
> > From: Megan Kielman [mailto:[EMAIL PROTECTED]
> > Sent: Monday, December 11, 2006 9:58 PM
> > To: Don C. Miller
> > Cc: Perl-LDAP Mailing List
> > Subject: Re: Net::LDAP search - active directory not returning
> > member list for large group
> >
> > Don,
> >
> > Thanks for the response.
> >
> > First of all you mentioned that if you don't specify a range and the
> > group contains more then 1000 users, $entry->get_value("member")
> > will return 'member;Range=0-999', however, in my case it doesn't
> > appear to return anything becuase when I loop through the @members,
it is empty.
> >
> > I tried using ('member;Range=0-*') and I still got nothing.
> >
> > I played around with the Range and specified an upper limit like
> > 0-100
>
> > and 100 of the users were returned. This method will work for this
> > script because I am simply trying to determine if a group is empty,
> > however, I may want the ability to return all members of a group,
> > regardless of how many members there are.
> >
> > Thanks!
> >
> >
> > On 12/11/06, Don C. Miller <[EMAIL PROTECTED]> wrote:
> > > Megan, I hope everything is going well for you. The trick for
> > > getting
> >
> > > this to work is to request the attribute 'member;Range=0-*' and
> > > then
>
> > > get_value('member;Range=0-*'). This should work on a group any
> > > size
>
> > > although I haven't tested on enormous groups. The 'Range' is case
> > > sensitive when requesting the attr but not on get_value. By
> > > default
>
> > > if the group has more than 1000 users, and you don't specify a
> > > range, it will return 'member;Range=0-999'.
> > >
> > > You can play with the range...but here is one thing to keep in
mind.
> > > If you use a value greater than the number of members it will
> > > return
>
> > > the value as Range=0-*. For instance, if I have a group with 1025
> > > members here are the attributes I will get back:
> > > 'member' returns 'member;Range=0-999'
> > > 'member;Range=0-500' returns 'member;Range=0-500'
> > > 'member;Range=0-1500' returns 'member;Range=0-*' (1500 is greater
> > > than
> >
> > > the 1025 members) 'member;Range=0-*' returns 'member;Range=0-*'
> > >
> > > Keep in mind you can use the dump method to output a quick "raw"
> > > view of everything in the entry object.
> > >
> > > Don
> > >
> > > -----Original Message-----
> > > From: Graham Barr [mailto:[EMAIL PROTECTED]
> > > Sent: Monday, December 11, 2006 4:51 PM
> > > To: [EMAIL PROTECTED]
> > > Cc: Perl-LDAP Mailing List
> > > Subject: Fwd: Net::LDAP search
> > >
> > > Begin forwarded message:
> > > > From: "Megan Kielman" <[EMAIL PROTECTED]>
> > > > Date: December 11, 2006 5:41:02 PM CST
> > > > Subject: Net::LDAP search
> > > > Message-Id:
> > > > <[EMAIL PROTECTED]>
> > > >
> > > > Graham,
> > > >
> > > > I hope it is ok that I am emailing you. Anyway, I am searching
> > > > for
>
> > > > groups in AD and writing the contents of the "member" attribute
> > > > to
>
> > > > a
> >
> > > > file. I have found there are cases when some groups are not
> > > > returning the members, but when I look in AD, the group does in
> > > > fact
> >
> > > > have members.
> > > >
> > > > One thing that is common amongst these groups is that when
> > > > viewing
>
> > > > them via ADUC, the members all have gray hair which according to
> > > > MS means that the group contains more then 500 members.
> > > >
> > > > here is a sample of my code:
> > > >
> > > > my $ldap = Net::LDAPS->new($addr) or die "$@"; my $login =
> > > > $ldap->bind($user, password=> $pass); my @srcargs1 = (
> > > > base => $path,
> > > > scope => "sub",
> > > > filter =>
> "(sAMAccountName=
> > > > $group)",
> > > > attrs => ['member',
> 'name',
> > > > 'description', 'managedBy', 'createTimeStamp',
'modifyTimeStamp'],
> > > > control => [ $page ],
> > > > );
> > > > $search = $ldap->search(@srcargs1);
> > > > foreach $entry ($search->entries) {
> > > > @members =
> > $entry->get_value("member");
> > > > unless (scalar(@members))
{
> > > > &getempty($entry);
> > > > $count++;
> > > > }else{
> > > > print "$group is not
> > empty\n";
> > > > } }
> > > >
> > >
> > >
> > >
> >
> >
>
>
