Hello good afternoon,
I have Nagios Log Server integrated with my Active Directory servers.
In my company, all employees have user accounts, which must necessarily be in the same "OU".
When I try to import users; The query is returning only 1000 users.
What do I need to configure for the web interface to return more users?
Do you have to parameterize something? Maybe in the LDAP configuration file?
LDAP/Active Directory Import Users (Limit of Returned Users)
-
ssoliveira
- Posts: 91
- Joined: Wed Dec 07, 2016 6:02 pm
Re: LDAP/Active Directory Import Users (Limit of Returned Us
There is a hard cap on AD's returned results that causes this:
https://msdn.microsoft.com/en-us/librar ... s.85).aspx
Essentially, AD returns paginated results after ~1000 which doesn't play very nice with most LDAP queries.
https://msdn.microsoft.com/en-us/librar ... s.85).aspx
Essentially, AD returns paginated results after ~1000 which doesn't play very nice with most LDAP queries.
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
-
ssoliveira
- Posts: 91
- Joined: Wed Dec 07, 2016 6:02 pm
Re: LDAP/Active Directory Import Users (Limit of Returned Us
Hello mcapra
How's it going?
These limits can be superimposed.
I can set up the "LDAP.conf" file; Setting the SIZELIMIT attribute to a value greater than 1000. This way I can perform LDAP queries that return more than 1000 objects.
For example:
Ldapsearch -x -b 'dc=OMITTED,dc=LOCAL' -D "CN=OMITTED" '(objectclass = *)' -H ldaps: //ldap.xxxx.local -W
However, since the application is php, it is necessary that the limit be overwritten in the queries that the application performs.
Http://php.net/manual/pt_BR/function.ldap-search.php
The same is true of Java; Powershell.
It is always necessary to set the maximum value; or configure a global attribute.
How's it going?
These limits can be superimposed.
I can set up the "LDAP.conf" file; Setting the SIZELIMIT attribute to a value greater than 1000. This way I can perform LDAP queries that return more than 1000 objects.
For example:
Ldapsearch -x -b 'dc=OMITTED,dc=LOCAL' -D "CN=OMITTED" '(objectclass = *)' -H ldaps: //ldap.xxxx.local -W
However, since the application is php, it is necessary that the limit be overwritten in the queries that the application performs.
Http://php.net/manual/pt_BR/function.ldap-search.php
The same is true of Java; Powershell.
It is always necessary to set the maximum value; or configure a global attribute.
Re: LDAP/Active Directory Import Users (Limit of Returned Us
You can set the results length to anything you want on the client side of things (we aren't result-limiting our requests on the back-end); That still won't circumvent server-side limits for a single request. I could set the client side limit to 2000, but AD is still only going to return 1000 results per request.ssoliveira wrote: However, since the application is php, it is necessary that the limit be overwritten in the queries that the application performs.
You can of course assume a paginated result using ldap_control_paged_result, but that is only as of PHP 5.4 and many existing XI users are still using legacy PHP versions. Determining whether a result is paginated or not can be tricky between PHP versions in this case.
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/