[Auth_ldap] LDAP searches too large?
Steven Hajducko
Steven.Hajducko at DigitalInsight.com
Thu Jun 16 14:26:19 PDT 2005
One of the more confusing aspects however is that whenever we use the
ldapsearch tool, the queries work fine.
Ie - I can run this:
ldapsearch -x -h corpdc.corp.ad.diginsite.com -p 389 -D
"cn=skynet,ou=Special,ou=Corporate,dc=corp,dc=ad,dc=diginsite,dc=com" -w
"#########" -b "dc=corp,dc=ad,dc=diginsite,dc=com"
"(&(objectClass=user)(sAMAccountName=stha3155))"
And the result returns successfully.
But if I specify that same query, minus the additional sAMAccountName, since
AuthLdap supplies that into the query, Apache won't authenticate and spits
out the vague error.
Why would the same query fail in Apache but work in ldapsearch?
--
sh
-----Original Message-----
From: McAllister, Andrew [mailto:McAllisterA at umsystem.edu]
Sent: Thursday, June 16, 2005 12:24 PM
To: Steven Hajducko; auth_ldap at rudedog.org
Subject: RE: [Auth_ldap] LDAP searches too large?
I don't think too large is a problem.
Our AuthLDAPUrl is
ldaps://ourglobalcatalog.domain.edu:3269/dc=edu?samAccountName?sub?(obje
ctClass=*)
Now that's generic. We have 5 domains in our forest and roughly 77,000
users.
In your search you are providing the samAccountName, which should only ever
return one row (hopefully you don't allow duplicates across multiple
domains). So the result set should still always be just one row.
I suspect that in fact you are running up against some sort of structural
problem where Active Directory doesn't put samAccountName data in the tree
at your level and that the "sub" search isn't finding it at lower levels
because of some depth limit. You might have to query the global catalog like
we do, where if I recall correctly the tree is flattened out.
Andy
> -----Original Message-----
> From: auth_ldap-bounces at rudedog.org
> [mailto:auth_ldap-bounces at rudedog.org] On Behalf Of Steven Hajducko
> Sent: Thursday, June 16, 2005 11:35 AM
> To: 'auth_ldap at rudedog.org'
> Subject: [Auth_ldap] LDAP searches too large?
>
> We're having an issue when dealing with too large of a
> search, it seems.
>
> When we issue the search -
>
> ldap://corpdc.corp.ad.diginsite.com/ou=users,ou=corporate,dc=c
> orp,dc=ad,dc=diginsite,dc=com?sAMAccountName?sub?(objectClass=user)
>
> Everything works fine.
>
> When increase the broadness of the search with the following
> url, apache fails to process:
>
> ldap://corpdc.corp.ad.diginsite.com/dc=corp,dc=ad,dc=diginsite
> ,dc=com?sAMAccountName?sub?(objectClass=user)
snip
More information about the Auth_ldap
mailing list