[Auth_ldap] LDAP searches too large?

Thu Jun 16 15:48:11 PDT 2005

That definetly sounds like a possibility Andy, but I don't know enough about
ldap or AD.  I'm actually a unix admin and not even part of our MIS
department.  I'm trying to get this setup for an internal web tool. :) Like
I've said before, I'm pretty much a complete neophyte to LDAP so although I
know what OU and DN standfor, I'm not sure what the difference between the
two is.

Dave should be able to answer on how deep the auth_ldap tool will search for
samAccountName.  I know that if I even take off the 'ou=users' part of the
LDAP query in the .htaccess, it will not work.  The samAccountName is
actually a property of the user's DN tho, not of the ou=users directory.  I
can ask our MIS people for the information to search against the AD global
catalog rather than what we do now and let you know.

I'm not sure how many domains are in the forest, sorry. \=

--
sh

-----Original Message-----
From: McAllister, Andrew [mailto:McAllisterA at umsystem.edu] 
Sent: Thursday, June 16, 2005 3:38 PM
To: Steven Hajducko; auth_ldap at rudedog.org
Subject: RE: [Auth_ldap] LDAP searches too large?

Maybe I've totally lost my mind, but let me put my foot in my mouth and show
my ignorance for a minute. Maybe someone will be motivated and chime in with
the real answer.

Like I said, I think this is a tree depth issue. SamAccountName is a
property of the ou=users branch of the tree. We could represent the data
like this (reversed for my own clarity)

dc=Com,dc=diginsite,dc=ad,dc=corp,ou=corporate,ou=users,samAccountName=f
oo
When you specify the search tree as follows:
> ldap://corpdc.corp.ad.diginsite.com/ou=users,ou=corporate,dc=c
> orp,dc=ad,dc=diginsite,dc=com?sAMAccountName?sub?(objectClass=user)
The "sub" search goes to the "users" container level and looks for the
samAccountName property = foo. It finds the property because samAccountName
is a direct descendent of ou=users.

OK, now backing up two levels:
dc=Com,dc=diginsite,dc=ad,dc=corp,ou=corporate,samAccountName=foo
When you specify the search tree as follows:
> ldap://corpdc.corp.ad.diginsite.com/dc=corp,dc=ad,dc=diginsite
> ,dc=com?sAMAccountName?sub?(objectClass=user)
Now the search goes to the "corp" level (notice that "corp" is a DC not an
OU) and begins to look for the samAccountName property. Only the
samAccountName property doesn't exist at the corp level nor does it exist at
the next level down which is "corporate" (an OU). You want to search
properties that are the equivalent of two sub layers down.

My theory is that auth_ldap only goes one level deep, or perhaps Active
Directory only searches one level deep for the samAccountName property in
this context. Why then would ldapsearch work? Well, perhaps ldapsearch is
following referrals and auth_ldap is not? 

Like I said, I could be completely off base. Please someone with more LDAP
insight speak up.

But I KNOW that deep searches are possible on samAccountName because we do
them. The MAJOR difference that I see between what you are doing and what I
do is that I run our searches on the Active Directory Global Catalog, not on
the standard LDAP server. The global catalog is a subset of the ldap tree
(only some properties are represented), but there are entries for every
entity in the entire forest.

How many domains in your forest? 

Andy

> -----Original Message-----
> From: auth_ldap-bounces at rudedog.org
> [mailto:auth_ldap-bounces at rudedog.org] On Behalf Of Steven Hajducko
> Sent: Thursday, June 16, 2005 4:26 PM
> To: McAllister, Andrew; auth_ldap at rudedog.org
> Subject: RE: [Auth_ldap] LDAP searches too large?
> 
> One of the more confusing aspects however is that whenever we use the 
> ldapsearch tool, the queries work fine.
> 
> Ie - I can run this:
> 
> ldapsearch -x -h corpdc.corp.ad.diginsite.com -p 389 -D 
> "cn=skynet,ou=Special,ou=Corporate,dc=corp,dc=ad,dc=diginsite,
> dc=com" -w
> "#########" -b "dc=corp,dc=ad,dc=diginsite,dc=com"
> "(&(objectClass=user)(sAMAccountName=stha3155))"
> 
> And the result returns successfully.
> 
snip