Comments on: AD Integration Tip: Dealing With More Than 1,000 Users http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/ The weblog of an IT pro specializing in virtualization, storage, and servers Wed, 17 Mar 2010 00:13:04 +0000 http://wordpress.org/?v=abc hourly 1 By: Doug Woodgate http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/comment-page-1/#comment-37287 Doug Woodgate Wed, 30 Apr 2008 19:39:36 +0000 http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/#comment-37287 Below is from the man page of nss_ldap, it should work like this, but I still had problems with it I think. I was running into an issue that some users wouldn't show up under a global getent passwd, but would with getent passwd username. I figured this was the cause, and may be, but under Red Hat Server 5, it apparently doesn't work. How I fixed it was appending a search filter in ldap.conf nss_paged_results Enables support for paged results. pagesize When paged results are enabled (see above), specifies the number of entries to return in a single page. The default is 1000. Search Filter I applied to reduce the count and make it feel a little quicker. nss_base_passwd dc=mybpc,dc=net?sub?&(objectCategory=user)(uidNumber=*) -Doug Below is from the man page of nss_ldap, it should work like this, but I still had problems with it I think. I was running into an issue that some users wouldn’t show up under a global getent passwd, but would with getent passwd username. I figured this was the cause, and may be, but under Red Hat Server 5, it apparently doesn’t work. How I fixed it was appending a search filter in ldap.conf

nss_paged_results
Enables support for paged results.

pagesize
When paged results are enabled (see above), specifies the number of entries to return in a single page. The default is 1000.

Search Filter I applied to reduce the count and make it feel a little quicker.
nss_base_passwd dc=mybpc,dc=net?sub?&(objectCategory=user)(uidNumber=*)

-Doug

]]> By: Jan Ivar Beddari http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/comment-page-1/#comment-37040 Jan Ivar Beddari Wed, 16 Apr 2008 16:13:36 +0000 http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/#comment-37040 Ah, this old problem again :-) Luckily there is now a lot of sample code around the net that shows how you can do paged searches against AD correctly. http://forum.java.sun.com/thread.jspa?threadID=5117992&tstart=0 Ah, this old problem again :-) Luckily there is now a lot of sample code around the net that shows how you can do paged searches against AD correctly.

http://forum.java.sun.com/thread.jspa?threadID=5117992&tstart=0

]]> By: Jef http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/comment-page-1/#comment-37035 Jef Tue, 15 Apr 2008 05:37:32 +0000 http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/#comment-37035 Scott, I agree that I should offer some helpful information other than just saying "don't", so I wrote up some information here which I hope provides some help: http://jeftek.com/iam/activedirectory/avoid-changing-the-maxpagesize-ldap-query-policy/ Scott,

I agree that I should offer some helpful information other than just saying “don’t”, so I wrote up some information here which I hope provides some help:

http://jeftek.com/iam/activedirectory/avoid-changing-the-maxpagesize-ldap-query-policy/

]]> By: slowe http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/comment-page-1/#comment-37034 slowe Tue, 15 Apr 2008 01:01:53 +0000 http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/#comment-37034 OK, I hear everyone saying just how bad it is to increase MaxPageSize, but I don't hear anyone telling us how to fix the problem that increasing MaxPageSize fixes. It's all well and good to say "Don't do that!", but what people really need is "Do this instead". Anyone care to provide that information? OK, I hear everyone saying just how bad it is to increase MaxPageSize, but I don’t hear anyone telling us how to fix the problem that increasing MaxPageSize fixes. It’s all well and good to say “Don’t do that!”, but what people really need is “Do this instead”. Anyone care to provide that information?

]]> By: Jef http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/comment-page-1/#comment-37031 Jef Mon, 14 Apr 2008 22:20:21 +0000 http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/#comment-37031 I would agree that messing with the maxpagesize is a very bad Idea. As Brian said, as soon as you set it to 5,000, what if you grow to 5,001? Or even 10,000? It's a constant chasing the number as you grow, while all the time you are introducing potential issues with the infrastructure because of the load you may place on it. Now how easy is it for you to tell an App owner to "Fix their app" and use paging? Unfortunately that is not always an easy task, but I tend not to want to change infrastructure to support an application, especially when supporting paging is a solution. Jef I would agree that messing with the maxpagesize is a very bad Idea.

As Brian said, as soon as you set it to 5,000, what if you grow to 5,001? Or even 10,000?

It’s a constant chasing the number as you grow, while all the time you are introducing potential issues with the infrastructure because of the load you may place on it.

Now how easy is it for you to tell an App owner to “Fix their app” and use paging? Unfortunately that is not always an easy task, but I tend not to want to change infrastructure to support an application, especially when supporting paging is a solution.

Jef

]]> By: Anders http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/comment-page-1/#comment-37022 Anders Fri, 11 Apr 2008 18:53:13 +0000 http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/#comment-37022 Atleast libnss_ldap has support for paging although it's not enabled per default in all installations. I would assume that winbind also handles paging. Changing the pagesize should be the absolute last thing you consider doing (and yes, that'd be after bashing developers heads). Atleast libnss_ldap has support for paging although it’s not enabled per default in all installations.
I would assume that winbind also handles paging.

Changing the pagesize should be the absolute last thing you consider doing (and yes, that’d be after bashing developers heads).

]]> By: slowe http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/comment-page-1/#comment-37020 slowe Fri, 11 Apr 2008 18:37:50 +0000 http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/#comment-37020 Brian, OK, fair enough. How would you suggest handling this problem, then? Brian,

OK, fair enough. How would you suggest handling this problem, then?

]]> By: Brian Desmond http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/comment-page-1/#comment-37019 Brian Desmond Fri, 11 Apr 2008 17:41:57 +0000 http://blog.scottlowe.org/2008/04/11/ad-integration-tip-dealing-with-more-than-1000-users/#comment-37019 This is a really bad idea. This is not an AD limitation, it's an application programming issue. This is the LDAP page size - standard thing across any LDAP directory. 1,000 is the max number of records returned in a result set so the app has to support paging to get more. This is not a best practice and yes it can cause problems. The other problem is once you do it once, you set the precedent to keep doing it. This is a really bad idea. This is not an AD limitation, it’s an application programming issue. This is the LDAP page size - standard thing across any LDAP directory. 1,000 is the max number of records returned in a result set so the app has to support paging to get more.

This is not a best practice and yes it can cause problems. The other problem is once you do it once, you set the precedent to keep doing it.

]]>