Hello OpenLDAP-Technical,
I am testing the dirSync replication. I am trying to replicate Active Directory (Windows Server 2019) -> OpenLDAP 2.5.12 from symas-openldap-servers-2.5.12-1.el8.x86_64 RPM on RedHat 8.6. Group members are not replicating, and I am seeing this error:
syncrepl_dirsync_message: rid=999 unknown attributeType member;range=1-1
In this case, "member" is a recognized attribute per "core.schema" and is not a problem unless sent with the range indicator, which seems not to be part of the protocol but rather be an AD "embellishment". Those responsible for AD call this "Searching Using Range Retrieval" if you care to look it up.
I guess has this default now of 1500 max values for an LDAP response, and it will indicate that the attribute has greater than this number of values by sending "member;range=0-1499" instead of "member" as the attribute type in the result data if there are more than 1500 values, and subsequently, if the amount is greater than 3000, "member;range=1500-2999", etc.
I also observed (using packet capture) that when using the dirSync control, all groups are sent with this range notation, even if below the limit, even if just one member, Windows Server 2019 AD DS sends a PartialAttributeList of type "member;range=1-1". Although using ldapsearch without the control only will send the range notation if the number of member values is greater than the 1500 limit.
So I am wondering if anyone else has seen this? Am I doing something wrong or is this a bug? What version of Windows was the dirSync syncrepl functionality developed to work with and/or tested with?
I can provide more info as needed as this issue is just testing right now in my local lab.
Thanks,
Chris Paul | Rex Consulting | https://www.rexconsulting.net
Christopher Paul wrote:
Hello OpenLDAP-Technical,
I am testing the dirSync replication. I am trying to replicate Active Directory (Windows Server 2019) -> OpenLDAP 2.5.12 from symas-openldap-servers-2.5.12-1.el8.x86_64 RPM on RedHat 8.6. Group members are not replicating, and I am seeing this error:
syncrepl_dirsync_message: rid=999 unknown attributeType member;range=1-1
In this case, "member" is a recognized attribute per "core.schema" and is not a problem unless sent with the range indicator, which seems not to be part of the protocol but rather be an AD "embellishment". Those responsible for AD call this "Searching Using Range Retrieval" if you care to look it up.
I guess has this default now of 1500 max values for an LDAP response, and it will indicate that the attribute has greater than this number of values by sending "member;range=0-1499" instead of "member" as the attribute type in the result data if there are more than 1500 values, and subsequently, if the amount is greater than 3000, "member;range=1500-2999", etc.
I also observed (using packet capture) that when using the dirSync control, all groups are sent with this range notation, even if below the limit, even if just one member, Windows Server 2019 AD DS sends a PartialAttributeList of type "member;range=1-1". Although using ldapsearch without the control only will send the range notation if the number of member values is greater than the 1500 limit.
So I am wondering if anyone else has seen this? Am I doing something wrong or is this a bug? What version of Windows was the dirSync syncrepl functionality developed to work with and/or tested with?
No bug. Use the attributeoptions config directive to define range= as a valid attribute option.
openldap-technical@openldap.org
-
Christopher Paul -
Howard Chu