Re: (ITS#5472) ldap_get_values() should handle paged results from LDAP/AD - openldap-bugs

16 Apr 2008


      On Apr 16, 2008, at 7:58 AM, pere@hungry.com wrote:
...
Full_Name: Petter Reinholdtsen
Version: 2.1.30
OS: Debian GNU/Linux Etch
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:700:100:6:213:72ff:fe93:c639)
I ran into this problem when trying to use nss-ldapd with LDAP
from an Microsoft Active Directory server.  The problem only appear  
if there
are more than 1500 members in a group.  When there are fewer than  
1500 members,
the result from the LDAP server look like this:
member: CN=user1,OU=Elever,OU=ULS,OU=VG,OU=Skoler,DC=SKOLEN,DC=LOCAL
 member: CN=user2,OU=Ansatte,OU=ULS,OU=VG,OU=Skoler,DC=SKOLEN,DC=LOCAL
This is properly handled by ldap_get_values(), and the nss-ldapd  
module work
properly.  For groups with more than 1500 members, the result from  
the LDAP
server
look like this:
member;range=0-1499:
CN=user1,OU=Elever,OU=OVO,OU=VO,OU=Skoler,DC=SKOLEN,DC=LOCAL
 member;range=0-1499:
CN=user2,OU=Ansatte,OU=OVO,OU=VO,OU=Skoler,DC=SKOLEN,DC=LOCAL
This notation is not handled by ldap_get_values(), and it return  
NULL, resulting
in
a group with zero members.
This is proper and well-intended behavior.  You asked for values of  
returned under the attribute description "member", not the (invalid)  
attribute description "member;range=0-1499".  Two attribute  
descriptions which share the same attribute type do not necessarily  
refer to the same attribute.
...
Is there a way to parse such "paged" attributes
using
the openldap library, and could ldag_get_values() be changed to  
handle these?
Is the range= notation legal LDAP notation?
No.  Attribute description options cannot contain equal signs.  See  
RFC 4512.
...
I have been unable to find
information
about this in any RFC, but our resident LDAP expert mentioned that  
it could be
according to some extention specification.
Microsoft might offers some specification for this crap.  But I note  
that it's an improper extension as extensions should be truly optional  
(per RFC 4521 and common sense).
...
Have not been able to find
information
about it.
To get the rest of the members I have to ask for attribute  
'member;range=1500-*'
and
repeat this until the result show for example 'range=6000-*' to  
indicate that
this is the last batch of members.
If you want to implement this crap, you can do so without additional  
support from LDAP API.  Use ldap_first/next_attribute API.
-- Kurt