WordPress.org

Ready to get started?Download WordPress

Forums

Active Directory Integration
[resolved] ldap search exceed limit (10 posts)

  1. PyroSteveJr
    Member
    Posted 1 year ago #

    When trying to do bulk import I'm running into an issue where the ldap search is maxing out due to the maxpagesize of 1000 on the domain controller.

    Any thoughts of getting around this without modifying the domain controller?

    http://wordpress.org/extend/plugins/active-directory-integration/

  2. glatze
    Member
    Plugin Author

    Posted 1 year ago #

    Perhaps. I think about changing the bulk import process to get around this problem. But it would be a little bit dirty. It would split the import process into many import groups.
    1. import all users with usernamens starting with "a".
    2. import all users with usernamens starting with "b".
    3. import all users with usernamens starting with "c".
    ...
    24. import all users with usernamens starting with "z".
    25. import all users with usernamens starting with "0".
    ...
    34. import all users with usernamens starting with "9".

    This would help if there are not more than 1000 users per group. But it is really dirty. *shiver*

  3. PyroSteveJr
    Member
    Posted 1 year ago #

    That is a good idea! I wanted to use some of our security groups but some of them are in a different domain which is causing issues.

    Great idea about using usernames. It is dirty but would word. That or figure out paging.

  4. glatze
    Member
    Plugin Author

    Posted 1 year ago #

    The reason for our problem is, that the PHP LDAP extension doesn't support paging!!! There are patches available, but that's not an option for most PHP users.

  5. alilou
    Member
    Posted 1 year ago #

    Hi,
    you can change/adapt adLDAP function on active-directory-integration/ad_ldap/adLDAP.php line 748

    change 1000 by limit of server

    /**
         * Get group members by primaryGroupID
         * Use this to get all users of for example "Domain Users"
         * @param integer $pgid
         * @param array $fields
         */
        public function group_members_by_primarygroupid($pgid= NULL, $fields = NULL)
        {
        	if (!$this->_bind){ return (false); }
    
        	if ($pgid===NULL){ return (false); }
    		// enable pagination with a page size of 1000.
            $pageSize = 1000;
    		$user_array=array();
    		$users=array();
    
    		$filter="(&(objectCategory=user)(primarygroupid=".$pgid."))";
    
     $v=0;
      $sr=@ldap_search($this->_conn,$this->_base_dn,$filter,array('dn'));
            $countResult        = ldap_count_entries($this->_conn,$sr); 
    
    IF($countResult == 1000 OR $countResult == 1500)
    {
        // loop trough the number 97-122 (ASCII number for the characters a-z)
        For($a=97;$a<=122;$a++)
        {
            // translate the number to a character
            $character            = chr($a);
            // the new search filter withs returns all users with a last name starting with $character
            $filter            = "(&(sn=$character*)(objectCategory=user)(primarygroupid=".$pgid."))";
    		$results        = ldap_search($this->_conn, $this->_base_dn, $filter);
            $countResult2    = ldap_count_entries($this->_conn,$results); 
    
    		// See if the search for all users starting with a specific character still hits the search limit
            // if so than do a new search to find all the users where the last name starts with "aa" and
            // than with "ab", "ac" etc. etc
            // In the best case we can now find 675.324 users per group when the search limit is 1000
            // ((26 * 999  for the fist character) * 26 for the second character)
            // and 1.013.324 when the search limit is 1500
            If($countResult2 == 1000 or $countResult2 == 1500)
            {
                For($b=97;$b<=122;$b++)
                {
                    $character2    = chr($b);
                    $filter2    = "(&(sn=$character$character2*)(objectCategory=user)(primarygroupid=".$pgid."))";
                    $results2    = ldap_search($this->_conn, $this->_base_dn, $filter2);
                    $count2        = ldap_count_entries($this->_conn,$results2);
                    $users2    = ldap_get_entries($this->_conn,$results2);            
    
    				$users = array_merge($users, $users2);
                }
            }
            Else
            {
                $users1            = ldap_get_entries($this->_conn,$results);
                $users = array_merge($users, $users1);
            }
        }
    }
    else
    {
         $users1            = ldap_get_entries($this->_conn,$startResults);
         $users = array_merge($users, $users1);
    } 
    
    		if (!is_array($users)) {
                return (false);
            }
    
            for ($i=0; $i<count($users); $i++){
                 $filter="(&(objectCategory=person)(distinguishedName=".$this->ldap_slashes($users[$i]['dn'])."))";
                 $fields = array("samaccountname", "distinguishedname", "objectClass");
                 $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
                 $entries = ldap_get_entries($this->_conn, $sr);
    
                 // not a person, look for a group
                 if ($entries['count'] == 0 && $recursive == true) {
                    $filter="(&(objectCategory=group)(distinguishedName=".$this->ldap_slashes($users[$i]['dn'])."))";
                    $fields = array("samaccountname");
                    $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
                    $entries = ldap_get_entries($this->_conn, $sr);
                    if (!isset($entries[0]['samaccountname'][0])) {
                        continue;
                    }
    
                    $sub_users = $this->group_members($entries[0]['samaccountname'][0], $recursive);
                    if (is_array($sub_users)) {
                        $user_array = array_merge($user_array, $sub_users);
                        $user_array = array_unique($user_array);
                    }
                    continue;
                 } 
    
                 if ($entries[0]['samaccountname'][0] === NULL && $entries[0]['distinguishedname'][0] !== NULL) {
                     $user_array[] = $entries[0]['distinguishedname'][0];
                 }
                 elseif ($entries[0]['samaccountname'][0] !== NULL) {
                    $user_array[] = $entries[0]['samaccountname'][0];
                 }
            }
            return ($user_array);
        }
  6. glatze
    Member
    Plugin Author

    Posted 1 year ago #

    Hi alilou,
    that's a possible solution. BTW: your code has an error: $startResult is never initialized. Did you mean $sr?

    But I found that paging is supported by php since 5.4. I think I'll add support for this. It looks like the best solution.

  7. alilou
    Member
    Posted 1 year ago #

    yes $sr !! sorry !! I have php 5.3.14 and i can't simply change the version.

    I think the best solution solution is to add the two solutions
    if(function_exists(ldap_control_paged_result)) .......

  8. glatze
    Member
    Plugin Author

    Posted 1 year ago #

    Argh! Have to think about adding both solutions.

  9. glatze
    Member
    Plugin Author

    Posted 1 year ago #

    This is resolved in delevopment version 1.1.5dev: http://downloads.wordpress.org/plugin/active-directory-integration.zip

    The solution works only if PHP 5.4.0 or above is used.

  10. PyroSteveJr
    Member
    Posted 1 year ago #

    Works great

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.