The -limit option for dsquery deals with the paging not with attributes. There was discussion on this topic a few years back and you can request the attribute with an additional range argument 'member;Range=0-*'. Hopefully this will provide you with consistent results. You could also do your own member "paging" by changing the ranges until no members are returned.
Don -----Original Message----- From: Spurrell Simon (KIDG 61) [mailto:simon.spurr...@credit-suisse.com] Sent: Monday, March 29, 2010 6:59 AM To: Prentice Bisbal; perl-ldap@perl.org Subject: RE: search for one object with thousands of members fails Yes I believe the AD does have a limit. I was using dsquery in the old days working in Exchange and AD. dsquery * domainroot -filter "(&(objectCategory=Person)(!objectClass=contact))" -limit 0 -attr name department displayName the "-limit 0" would make sure all attributes for all objects were returned. -----Original Message----- From: Prentice Bisbal [mailto:prent...@ias.edu] Sent: Monday, March 29, 2010 3:43 PM To: perl-ldap@perl.org Subject: Re: search for one object with thousands of members fails OpenLDAP, by default, limits the number of returned results to only 500, except for the admin user. Is it possible that AD has similar default limits? There should be some way to override that limit. Not sure if the line my $page = Net::LDAP::Control::Paged->new(size => 500) affects that limit. Prentice Michael McGovern wrote: > I'm trying to extract a list of the members of of a Global Group in AD. > It works for groups with a small number (hundreds) of members but not > for one with thousands. I don't even get the first few hundred of the > large group. > > I've tried using LDAP_CONTROL_PAGED, but I think that it controls > paging of large numbers of objects rather than single objects with > large numbers of members. > > I would welcome suggestions to get around this problem Code snippet: > ====================================================== > use Net::LDAP; > use Net::LDAP::Control::Paged; > use Net::LDAP::Constant qw(LDAP_CONTROL_PAGED); use Net::LDAP::Util > qw(ldap_error_text ldap_error_name ldap_error_desc); > $ldap_server = "college.my.dom"; > $bind_user = "myuser"; > $bind_pass = "mypassword"; > $ldap_base = "ou=Global Groups,dc=COLLEGE,dc=my,dc=dom"; > $ldap = Net::LDAP->new($ldap_server, debug => 0 ) or die "$@"; > $ldap->bind($bind_user,password=>$bind_pass) or die "$@"; > $group="students"; my $page = Net::LDAP::Control::Paged->new(size => > 500); my $cookie; my @args = ( > base => $ldap_base, > filter => "(cn=$group)", > attr => "member", > callback => \&process_entry, > control => [ $page ] ); > > while ($results = $ldap->search(@args)) { > ($conres) = $results->control(LDAP_CONTROL_PAGED); > $cookie = $conres->cookie or last; > warn "got cookie\n"; # I never get a cookie, because there's only one object? > $page->cookie($cookie); > }; > > sub process_entry { > my $mesg = shift; > my $entry = shift; > (warn "end of entry\n", return) unless $entry; > foreach ( $entry->get_value("member")) { > # process member > }; > } > ====================================================== > > > Mike > -- Prentice Bisbal Linux Software Support Specialist/System Administrator School of Natural Sciences Institute for Advanced Study Princeton, NJ
