As you probably just read, Microsoft say that if I query for the "member"
attribute in the case of a group with a large membership, say 9000, the
domain controller (DC) will send me back two attributes: an empty "member"
attribute and a 1500 item attribute named "member;range=0-1499".
Apparently, that's how we're to know we need to use the range retrieval
technique. Next query would be for member;range=1500-* and they send back
that one empty but with a new one named member;range=1500-2999. Indicating
need for yet another round.
Well, I did this in a python interactive session:
>>> import active_directory as ad
>>> gau = ad.find_group('google apps users')
>>> len(gau.member)
1500
>>> for p in gau.properties:
... print p
The resulting list of property names contained "member", but nothing like
"member;range=0-1499." And "member" has 1500 items.
I did it in perl (needing *many* more lines :-) ) using the Net::LDAP
modules and got back an empty "member" attribute and a 1500 value
member;range=0-1499" attribute. So I expect AD is sending what MS says it
is.
Do you suppose something in pywin32 is munging the attributes names?
Thanks,
Mike
On Thu, Mar 11, 2010 at 9:59 AM, Tim Golden <m...@timgolden.me.uk> wrote:
> On 11/03/2010 14:51, Mike Diehn wrote:
>
>> Thanks, Tim.
>>
>> I've just subscribed to the python-win32 mailing list and I'll copy this
>> post to it.
>>
>> So, my task, in this instance is to retrieve the membership list of a 1650
>> member AD security group. That means the group has a 1650 item
>> multi-value
>> attribute. It's refusing to send more than 1500, of course. Since this
>> isn't about objects, page_size and size_limit don't *appear* to help.
>> Instead, last night I was working on a technique called "range
>> retrieval."
>>
>
> Ah, sorry. I didn't read closely enough. Range retrieval is a pain because
> you *have* to be retrieving at least as many items as you're requesting,
> so you can't just say "give me 1-20,000", knowing that it'll work every
> time.
>
> I've been struggling to find a clean way to include this in my slightly
> improved AD interface, but haven't found one yet :(. I must confess I
> didn't realise it would actually cap the retrieval if you didn't include
> a range. I don't think any of our groups have as many as 1500 members.
>
> Didn't know about that -* trick on the last loop, either. You live and
> learn.
>
> TJG
> _______________________________________________
> python-win32 mailing list
> python-win32@python.org
> http://mail.python.org/mailman/listinfo/python-win32
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit
> http://www.messagelabs.com/email______________________________________________________________________
>
--
Mike Diehn
Senior Systems Administrator
ANSYS, Inc - Lebanon, NH Office
mike.di...@ansys.com, (603) 727-5492
_______________________________________________
python-win32 mailing list
python-win32@python.org
http://mail.python.org/mailman/listinfo/python-win32
