Full_Name: Marc Pape Version: 2.4.48 OS: Debian 9 Kernel 4.9 URL: https://qnap.testlab-lpz.de/share.cgi?ssid=0NbcOIY Submission from: (NULL) (80.153.108.120)

Hello dear OpenLDAP-Team, we have a problem with the OpenLDAP Server which we operate as LDAP Proxy. In our deployment the OpenLDAP Proxy is for synchronization and authentication between a Cisco Callmanager 12.5 and two Microsoft ActiveDirectories in Version 2008R2. The Cisco Callmanager can only handle one Directory, but in some customer deployments exist two different directories.

For that szenario we installed a Debian 9 server with OpenLDAP 2.4.48. The syncronization and authentication runs so far until one directory has more than 50 user.

The Cisco Callmanager uses a SearchControlValue with size 50. By syncronize the Callmanager against one Microsoft AD directly the Microsoft Server will send responses with 50 user and in the end after all responses a unbindRequest. In our lab deployment we tested the Cisco Callmanager against a Microsoft AD with over 2000 enduser successfully. By implementing the OpenLDAP Server between the Cisco Callmanager and the Microsoft AD the OpenLDAP sends the unbindRequest directly after the first response with the first 50 user. All other requests and over 1950 user don't syncronize to the Cisco Callmanager.

Is there a possible solution to send that unbindRequest after all responses and all users from the Microsoft AD were send to the Callmanager in that 50 users steps / responses?

I've provided the configuration file of the OpenLDAP Server and a pcap file from a syncronizationrun in the upload below. The pcap file shows the following IPs and Server: 10.34.100.2 Cisco Callmanager 10.34.100.110 Debian 9 with OpenLDAP as LDAP Proxy 10.34.100.16 Microsoft AD #1 10.34.100.17 Microsoft AD #2

Kind regards Marc Pape