I have been working on implementing OpenLDAP as an AD proxy. I now have a setup that I am
happy with over all, except for one strange behaviour:
When browsing AD via the proxy, I do not get all the results in a given OU.
* The OUs never contain more than 200-250 entries, well below both AD and
OpenLDAP's default limits?
* Different LDAP clients end up displaying different amounts of results, though the
amount seems to be consistent within a given client. So for OU X ldp.exe shows Y results
always, but Apache Directory Studio shows Z results, always.
* When doing a search, if I ask to return only specific attributes, the number of
results returned shrinks. So when I search on objectClass=* on a given OU I get X results,
if I request one attribute only, the list returned shrinks a little bit, if I add another
attribute, the list shrinks again!
* If I use those exact same clients to connect to AD directly, with all other things
being equal, there is no such issue, and all expected results are shown. I never configure
any special client limits, paging, etc. on either connection (AD or OpenLDAP).
* I am using a binary build of 2.4.49 for Windows.
* Authentication is done via local database with a different DN, there is no
* There are ACLs on the proxy to restrict access to certain OUs.
It seems as if I am hitting some sort of limit, as suggest but the fact that when I make a
more complex search, the number of results shrinks ... but this does not appear to be a
number of results or time limit, and either way I am well under 1000 results and under 60
seconds (The default limits I think?).
So ... what's going on? Anyone have any idea? I'm stumped ...
Gestionnaire, Opérations et sécurité des T.I.
Commissariat aux langues officielles
email@example.com<mailto:firstname.lastname@example.org> / Tél.
Manager, I.T. Operations and security
Office of the Commissioner of Official Languages
email@example.com<mailto:firstname.lastname@example.org> / Tel:
Show replies by date