Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

LDAP/Active Directory Import Users (Limit of Returned Users)

https://support.nagios.com/forum/viewtopic.php?t=41776

Page 1 of 1

LDAP/Active Directory Import Users (Limit of Returned Users)

Posted: Thu Dec 29, 2016 1:16 pm
by ssoliveira
Hello good afternoon,

I have Nagios Log Server integrated with my Active Directory servers.

In my company, all employees have user accounts, which must necessarily be in the same "OU".

When I try to import users; The query is returning only 1000 users.

What do I need to configure for the web interface to return more users?

Do you have to parameterize something? Maybe in the LDAP configuration file?

Re: LDAP/Active Directory Import Users (Limit of Returned Us

Posted: Thu Dec 29, 2016 1:21 pm
by mcapra
There is a hard cap on AD's returned results that causes this:
https://msdn.microsoft.com/en-us/librar ... s.85).aspx

Essentially, AD returns paginated results after ~1000 which doesn't play very nice with most LDAP queries.

Re: LDAP/Active Directory Import Users (Limit of Returned Us

Posted: Thu Dec 29, 2016 1:58 pm
by ssoliveira
Hello mcapra

How's it going?

These limits can be superimposed.

I can set up the "LDAP.conf" file; Setting the SIZELIMIT attribute to a value greater than 1000. This way I can perform LDAP queries that return more than 1000 objects.

For example:

Ldapsearch -x -b 'dc=OMITTED,dc=LOCAL' -D "CN=OMITTED" '(objectclass = *)' -H ldaps: //ldap.xxxx.local -W

However, since the application is php, it is necessary that the limit be overwritten in the queries that the application performs.

Http://php.net/manual/pt_BR/function.ldap-search.php

The same is true of Java; Powershell.

It is always necessary to set the maximum value; or configure a global attribute.

Re: LDAP/Active Directory Import Users (Limit of Returned Us

Posted: Thu Dec 29, 2016 2:56 pm
by mcapra
ssoliveira wrote: However, since the application is php, it is necessary that the limit be overwritten in the queries that the application performs.
You can set the results length to anything you want on the client side of things (we aren't result-limiting our requests on the back-end); That still won't circumvent server-side limits for a single request. I could set the client side limit to 2000, but AD is still only going to return 1000 results per request.

You can of course assume a paginated result using ldap_control_paged_result, but that is only as of PHP 5.4 and many existing XI users are still using legacy PHP versions. Determining whether a result is paginated or not can be tricky between PHP versions in this case.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited