Full_Name: Petter Reinholdtsen Version: 2.1.30 OS: Debian GNU/Linux Etch URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:700:100:6:213:72ff:fe93:c639)
I ran into this problem when trying to use nss-ldapd with LDAP from an Microsoft Active Directory server. The problem only appear if there are more than 1500 members in a group. When there are fewer than 1500 members, the result from the LDAP server look like this:
member: CN=user1,OU=Elever,OU=ULS,OU=VG,OU=Skoler,DC=SKOLEN,DC=LOCAL member: CN=user2,OU=Ansatte,OU=ULS,OU=VG,OU=Skoler,DC=SKOLEN,DC=LOCAL
This is properly handled by ldap_get_values(), and the nss-ldapd module work properly. For groups with more than 1500 members, the result from the LDAP server look like this:
member;range=0-1499: CN=user1,OU=Elever,OU=OVO,OU=VO,OU=Skoler,DC=SKOLEN,DC=LOCAL member;range=0-1499: CN=user2,OU=Ansatte,OU=OVO,OU=VO,OU=Skoler,DC=SKOLEN,DC=LOCAL
This notation is not handled by ldap_get_values(), and it return NULL, resulting in a group with zero members. Is there a way to parse such "paged" attributes using the openldap library, and could ldag_get_values() be changed to handle these?
Is the range= notation legal LDAP notation? I have been unable to find information about this in any RFC, but our resident LDAP expert mentioned that it could be according to some extention specification. Have not been able to find information about it.
To get the rest of the members I have to ask for attribute 'member;range=1500-*' and repeat this until the result show for example 'range=6000-*' to indicate that this is the last batch of members.