Hello,
I have been working on implementing OpenLDAP as an AD proxy. I now have a setup that I am happy with over all, except for one strange behaviour:
When browsing AD via the proxy, I do not get all the results in a given OU.
Notes:
* The OUs never contain more than 200-250 entries, well below both AD and OpenLDAP's default limits? * Different LDAP clients end up displaying different amounts of results, though the amount seems to be consistent within a given client. So for OU X ldp.exe shows Y results always, but Apache Directory Studio shows Z results, always. * When doing a search, if I ask to return only specific attributes, the number of results returned shrinks. So when I search on objectClass=* on a given OU I get X results, if I request one attribute only, the list returned shrinks a little bit, if I add another attribute, the list shrinks again! * If I use those exact same clients to connect to AD directly, with all other things being equal, there is no such issue, and all expected results are shown. I never configure any special client limits, paging, etc. on either connection (AD or OpenLDAP). * I am using a binary build of 2.4.49 for Windows. * Authentication is done via local database with a different DN, there is no rebind-as-user. * There are ACLs on the proxy to restrict access to certain OUs.
It seems as if I am hitting some sort of limit, as suggest but the fact that when I make a more complex search, the number of results shrinks ... but this does not appear to be a number of results or time limit, and either way I am well under 1000 results and under 60 seconds (The default limits I think?).
So ... what's going on? Anyone have any idea? I'm stumped ...
Thanks!
Jean-François Doyon
Gestionnaire, Opérations et sécurité des T.I. Commissariat aux langues officielles jean-francois.doyon@clo-ocol.gc.camailto:jean-francois.doyon@clo-ocol.gc.ca / Tél. : 613-218-0547
Manager, I.T. Operations and security Office of the Commissioner of Official Languages jean-francois.doyon@ocol-clo.gc.camailto:jean-francois.doyon@ocol-clo.gc.ca / Tel: 613-218-0547
openldap-technical@openldap.org