[Auth_ldap] LDAP searches too large?

McAllister, Andrew McAllisterA at umsystem.edu
Thu Jun 16 15:38:02 PDT 2005 

Maybe I've totally lost my mind, but let me put my foot in my mouth and
show my ignorance for a minute. Maybe someone will be motivated and
chime in with the real answer.

Like I said, I think this is a tree depth issue. SamAccountName is a
property of the ou=users branch of the tree. We could represent the data
like this (reversed for my own clarity)

dc=Com,dc=diginsite,dc=ad,dc=corp,ou=corporate,ou=users,samAccountName=f
oo
When you specify the search tree as follows:
> ldap://corpdc.corp.ad.diginsite.com/ou=users,ou=corporate,dc=c
> orp,dc=ad,dc=diginsite,dc=com?sAMAccountName?sub?(objectClass=user)
The "sub" search goes to the "users" container level and looks for the
samAccountName property = foo. It finds the property because
samAccountName is a direct descendent of ou=users.

OK, now backing up two levels:
dc=Com,dc=diginsite,dc=ad,dc=corp,ou=corporate,samAccountName=foo
When you specify the search tree as follows:
> ldap://corpdc.corp.ad.diginsite.com/dc=corp,dc=ad,dc=diginsite
> ,dc=com?sAMAccountName?sub?(objectClass=user) 
Now the search goes to the "corp" level (notice that "corp" is a DC not
an OU) and begins to look for the samAccountName property. Only the
samAccountName property doesn't exist at the corp level nor does it
exist at the next level down which is "corporate" (an OU). You want to
search properties that are the equivalent of two sub layers down.

My theory is that auth_ldap only goes one level deep, or perhaps Active
Directory only searches one level deep for the samAccountName property
in this context. Why then would ldapsearch work? Well, perhaps
ldapsearch is following referrals and auth_ldap is not? 

Like I said, I could be completely off base. Please someone with more
LDAP insight speak up.

But I KNOW that deep searches are possible on samAccountName because we
do them. The MAJOR difference that I see between what you are doing and
what I do is that I run our searches on the Active Directory Global
Catalog, not on the standard LDAP server. The global catalog is a subset
of the ldap tree (only some properties are represented), but there are
entries for every entity in the entire forest.

How many domains in your forest? 

Andy

> -----Original Message-----
> From: auth_ldap-bounces at rudedog.org 
> [mailto:auth_ldap-bounces at rudedog.org] On Behalf Of Steven Hajducko
> Sent: Thursday, June 16, 2005 4:26 PM
> To: McAllister, Andrew; auth_ldap at rudedog.org
> Subject: RE: [Auth_ldap] LDAP searches too large?
> 
> One of the more confusing aspects however is that whenever we use the
> ldapsearch tool, the queries work fine.
> 
> Ie - I can run this:
> 
> ldapsearch -x -h corpdc.corp.ad.diginsite.com -p 389 -D
> "cn=skynet,ou=Special,ou=Corporate,dc=corp,dc=ad,dc=diginsite,
> dc=com" -w
> "#########" -b "dc=corp,dc=ad,dc=diginsite,dc=com"
> "(&(objectClass=user)(sAMAccountName=stha3155))"
> 
> And the result returns successfully.
> 
snip

More information about the Auth_ldap mailing list