Here is a link to an expired draft which seems to describe what MS implmented.
http://www.tkk.fi/cc/docs/kerberos/draft-kashi-incremental-00.txt Graham. On Wed, December 13, 2006 10:02 am, Megan Kielman wrote: > Don, > > That dawned on me last night! I think I have one last questions > regarding the '*'. Is that considered a wildcard? > > Since I cannot request a range that exceeds the number of users, and > the wild card apparently doesn't work for me, is the best way to > handle it to continue to request a smaller range until I hit the exact > number of users? If that is the case, it seems like I would be > storming the DC with requests. > > On 12/13/06, Don C. Miller <[EMAIL PROTECTED]> wrote: >> Megan, a search will only return one range. You need to do a separate >> search for each loop of your code requesting each different range until >> you hit *. >> >> Don >> >> -----Original Message----- >> From: Megan Kielman [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, December 12, 2006 3:01 PM >> To: Don C. Miller >> Cc: Perl-LDAP Mailing List >> Subject: Re: Net::LDAP search - active directory not returning member >> list for large group >> >> Don, >> >> I can't seem to get Range=0-* to return anything. The best I have been >> able to do is query Range=0-1499, or another combination that is less >> then the total number of members (1658). >> >> I did try $entry->dump which did show me all the attributes of that >> objects but I really need a way to recursively query AD until I get all >> members of the groups. My email to Glenn and the list shows the code I >> am using. but just in case: >> >> unless (@members) { >> $size = 1500; >> $first = 0; >> while (1) { >> $last = $first + $size -1; >> @tmp = >> $entry->get_value("member;Range=${first}-${last}"); >> unless (@tmp) { >> @tmp = >> $entry->get_value("member;Range=${first}-*"); >> unless (@tmp) { >> last; >> } >> } >> push @members, @tmp; >> $first += $size; >> } >> } >> >> >> >> >> This is getting frustrating... >> >> On 12/12/06, Don C. Miller <[EMAIL PROTECTED]> wrote: >> > Megan, when I was doing testing with this I noticed there was some >> > type of caching occuring with the requests. I waited a while and >> > since then I have been able to use the member;Range=0-* for every size >> >> > group (use it in both the attr list and get_value). It would be a >> > good idea to check for the existance of other ranges in the return >> set. >> > >> > As for your comment on get_value("member"). This is where you want to >> >> > use "member;Range=0-999" when you have just "member" in the attribute >> > list, not vice versa. If you use $entry->dump you will see what the >> > object contains in a nice readable form. >> > >> > Don >> > >> > use Net::LDAP; >> > my $ad_ldap = Net::LDAP->new('server'); my $error = >> > $ad_ldap->bind('dn', password => 'pass'); my $group_search = undef; >> > $group_search = $ad_ldap->search( >> > 'base' => 'dc=contoso,dc=msft', >> > 'filter' => "(&(objectClass=group)(samaccountname=mygroup))", >> > 'attrs' => [ 'samaccountname', 'member;Range=0-*' ] ); die if >> > ($group_search->code); print $group_search->entry(0)->dump; my >> > @members = $group_search->entry(0)->get_value('member;Range=0-*'); >> > print $#members; >> > $ad_ldap->unbind; >> > >> > -----Original Message----- >> > From: Megan Kielman [mailto:[EMAIL PROTECTED] >> > Sent: Monday, December 11, 2006 9:58 PM >> > To: Don C. Miller >> > Cc: Perl-LDAP Mailing List >> > Subject: Re: Net::LDAP search - active directory not returning member >> > list for large group >> > >> > Don, >> > >> > Thanks for the response. >> > >> > First of all you mentioned that if you don't specify a range and the >> > group contains more then 1000 users, $entry->get_value("member") will >> > return 'member;Range=0-999', however, in my case it doesn't appear to >> > return anything becuase when I loop through the @members, it is empty. >> > >> > I tried using ('member;Range=0-*') and I still got nothing. >> > >> > I played around with the Range and specified an upper limit like 0-100 >> >> > and 100 of the users were returned. This method will work for this >> > script because I am simply trying to determine if a group is empty, >> > however, I may want the ability to return all members of a group, >> > regardless of how many members there are. >> > >> > Thanks! >> > >> > >> > On 12/11/06, Don C. Miller <[EMAIL PROTECTED]> wrote: >> > > Megan, I hope everything is going well for you. The trick for >> > > getting >> > >> > > this to work is to request the attribute 'member;Range=0-*' and then >> >> > > get_value('member;Range=0-*'). This should work on a group any size >> >> > > although I haven't tested on enormous groups. The 'Range' is case >> > > sensitive when requesting the attr but not on get_value. By default >> >> > > if the group has more than 1000 users, and you don't specify a >> > > range, it will return 'member;Range=0-999'. >> > > >> > > You can play with the range...but here is one thing to keep in mind. >> > > If you use a value greater than the number of members it will return >> >> > > the value as Range=0-*. For instance, if I have a group with 1025 >> > > members here are the attributes I will get back: >> > > 'member' returns 'member;Range=0-999' >> > > 'member;Range=0-500' returns 'member;Range=0-500' >> > > 'member;Range=0-1500' returns 'member;Range=0-*' (1500 is greater >> > > than >> > >> > > the 1025 members) 'member;Range=0-*' returns 'member;Range=0-*' >> > > >> > > Keep in mind you can use the dump method to output a quick "raw" >> > > view of everything in the entry object. >> > > >> > > Don >> > > >> > > -----Original Message----- >> > > From: Graham Barr [mailto:[EMAIL PROTECTED] >> > > Sent: Monday, December 11, 2006 4:51 PM >> > > To: [EMAIL PROTECTED] >> > > Cc: Perl-LDAP Mailing List >> > > Subject: Fwd: Net::LDAP search >> > > >> > > Begin forwarded message: >> > > > From: "Megan Kielman" <[EMAIL PROTECTED]> >> > > > Date: December 11, 2006 5:41:02 PM CST >> > > > Subject: Net::LDAP search >> > > > Message-Id: >> > > > <[EMAIL PROTECTED]> >> > > > >> > > > Graham, >> > > > >> > > > I hope it is ok that I am emailing you. Anyway, I am searching for >> >> > > > groups in AD and writing the contents of the "member" attribute to >> >> > > > a >> > >> > > > file. I have found there are cases when some groups are not >> > > > returning the members, but when I look in AD, the group does in >> > > > fact >> > >> > > > have members. >> > > > >> > > > One thing that is common amongst these groups is that when viewing >> >> > > > them via ADUC, the members all have gray hair which according to >> > > > MS means that the group contains more then 500 members. >> > > > >> > > > here is a sample of my code: >> > > > >> > > > my $ldap = Net::LDAPS->new($addr) or die "$@"; my $login = >> > > > $ldap->bind($user, password=> $pass); my @srcargs1 = ( >> > > > base => $path, >> > > > scope => "sub", >> > > > filter => >> "(sAMAccountName= >> > > > $group)", >> > > > attrs => ['member', >> 'name', >> > > > 'description', 'managedBy', 'createTimeStamp', 'modifyTimeStamp'], >> > > > control => [ $page ], >> > > > ); >> > > > $search = $ldap->search(@srcargs1); >> > > > foreach $entry ($search->entries) { >> > > > @members = >> > $entry->get_value("member"); >> > > > unless (scalar(@members)) { >> > > > &getempty($entry); >> > > > $count++; >> > > > }else{ >> > > > print "$group is not >> > empty\n"; >> > > > } >> > > > } >> > > > >> > > >> > > >> > > >> > >> > >> >> > >
