Thanks contributors, especially Don for the 'range=0-*' tip. That did the trick.
Also thanks to Graham Barr for the 'debug => 15' tip, which showed I was getting the data back ok but not displaying it because the attribute in get_value has to be something like 'member;range=1000-1999' as opposed to 'member' Mike 2010/3/29 Miller, Don C. <d...@uidaho.edu>: > The -limit option for dsquery deals with the paging not with attributes. > There was discussion on this topic a few years back and you can request > the attribute with an additional range argument 'member;Range=0-*'. > Hopefully this will provide you with consistent results. You could also > do your own member "paging" by changing the ranges until no members are > returned. > > Don > > -----Original Message----- > From: Spurrell Simon (KIDG 61) [mailto:simon.spurr...@credit-suisse.com] > > Sent: Monday, March 29, 2010 6:59 AM > To: Prentice Bisbal; perl-ldap@perl.org > Subject: RE: search for one object with thousands of members fails > > Yes I believe the AD does have a limit. > > I was using dsquery in the old days working in Exchange and AD. > > dsquery * domainroot -filter > "(&(objectCategory=Person)(!objectClass=contact))" -limit 0 -attr name > department displayName > > the "-limit 0" would make sure all attributes for all objects were > returned. > > > > > -----Original Message----- > From: Prentice Bisbal [mailto:prent...@ias.edu] > Sent: Monday, March 29, 2010 3:43 PM > To: perl-ldap@perl.org > Subject: Re: search for one object with thousands of members fails > > OpenLDAP, by default, limits the number of returned results to only 500, > except for the admin user. Is it possible that AD has similar default > limits? There should be some way to override that limit. Not sure if the > line > > my $page = Net::LDAP::Control::Paged->new(size => 500) > > affects that limit. > > Prentice > > > Michael McGovern wrote: >> I'm trying to extract a list of the members of of a Global Group in > AD. >> It works for groups with a small number (hundreds) of members but not >> for one with thousands. I don't even get the first few hundred of the >> large group. >> >> I've tried using LDAP_CONTROL_PAGED, but I think that it controls >> paging of large numbers of objects rather than single objects with >> large numbers of members. >> >> I would welcome suggestions to get around this problem Code snippet: >> ====================================================== >> use Net::LDAP; >> use Net::LDAP::Control::Paged; >> use Net::LDAP::Constant qw(LDAP_CONTROL_PAGED); use Net::LDAP::Util >> qw(ldap_error_text ldap_error_name > ldap_error_desc); >> $ldap_server = "college.my.dom"; >> $bind_user = "myuser"; >> $bind_pass = "mypassword"; >> $ldap_base = "ou=Global Groups,dc=COLLEGE,dc=my,dc=dom"; >> $ldap = Net::LDAP->new($ldap_server, debug => 0 ) or die "$@"; >> $ldap->bind($bind_user,password=>$bind_pass) or die "$@"; >> $group="students"; my $page = Net::LDAP::Control::Paged->new(size => >> 500); my $cookie; my @args = ( >> base => $ldap_base, >> filter => "(cn=$group)", >> attr => "member", >> callback => \&process_entry, >> control => [ $page ] ); >> >> while ($results = $ldap->search(@args)) { >> ($conres) = $results->control(LDAP_CONTROL_PAGED); >> $cookie = $conres->cookie or last; >> warn "got cookie\n"; # I never get a cookie, because there's only > one object? >> $page->cookie($cookie); >> }; >> >> sub process_entry { >> my $mesg = shift; >> my $entry = shift; >> (warn "end of entry\n", return) unless $entry; >> foreach ( $entry->get_value("member")) { >> # process member >> }; >> } >> ====================================================== >> >> >> Mike >> > > -- > Prentice Bisbal > Linux Software Support Specialist/System Administrator School of Natural > Sciences Institute for Advanced Study Princeton, NJ >
