| Store | Cart

RE: AD Page Size help

From: Steven Manross <ste...@manross.net>
Tue, 26 Apr 2011 12:51:01 -0700
To everyone..

My apologies are due, as I seem to have code floating around the
internet that doesn't work as a paged query (and have professed that it
works as a paged LDAP query).  

:(  Sorry.  :(

The actual problem seems to be that declaring the:

$objCMD->{Properties}->{"Page Size"} = 100; #or 1000, etc (<= the
MaxPageSize defined by AD)

...prior to setting the

$objCMD->{ActiveConnection} = $Conn; 

Causes issues for paged searches (guessing that something gets reset to
a bad value during that declaration).

A proper (working) subroutine is below:

While I have commented out the while loop, the "print recordcount"
should suffice to show that if you have more than 1000 user objects to
display, it does because the query is returning the proper number of
records (instead of 1000).

I added 1027 user accounts to my test lab to guarantee my query works
now, as using someone else's AD to test might not always be a good test
if they have changed defaults (which I am also guilty of).  :(

Again, Apologies.  :(

HTH

Steven

Code (based off of Rich Gomes' test with modifications):
-------------------------------------------------------

use Win32::OLE qw(in);

$Win32::OLE::Warn = 3;
my $strBase   =  "<LDAP://DC=somedomain,DC=com>;";

my $strFilter = "(&(objectclass=user)(objectcategory=person));";
my $strAttrs  = "name;";
my $strAttrs  = "distinguishedName;";
my $strScope  = "subtree";

query_ldap($strBase . $strFilter . $strAttrs . $strScope,$objRS); 

print "records = " . $objRS->{RecordCount}."\n";
#while (! $objRS->EOF) {
#  print $objRS->Fields(0)->Value,"\n";
#  $objRS->MoveNext;
#}


sub query_ldap {
  my $ldap_query = $_[0];

  my $error_num;
  my $error_name;
  my $RS;
  my $Conn = Win32::OLE->new("ADODB.Connection");
  if (Win32::OLE->LastError() != 0) {
    print "Failed creating ADODB.Connection object
(".Win32::OLE->LastError().")\n   -> $ldap_query\n";
    return 0;
  }
  $Conn->{'Provider'} = "ADsDSOObject";
  if (Win32::OLE->LastError() != 0) {
    print "Failed setting ADODB.Command Provider
(".Win32::OLE->LastError().")\n   -> $ldap_query\n";
    return 0;
  }
  $Conn->{Open} = "Perl Active Directory Query";

  my $Cmd = Win32::OLE->new("ADODB.Command");
  if (Win32::OLE->LastError() != 0) {
    print "Failed creating ADODB.Command object
(".Win32::OLE->LastError().")\n   -> $ldap_query\n";
    return 0;
  }
  $Cmd->{"CommandText"} = $ldap_query;
  $Cmd->{ActiveConnection} = $Conn;
  $Cmd->{"Properties"}->{"Page Size"} = 100;
  $RS = $Cmd->Execute();
  if (Win32::OLE->LastError() != 0) {
    print "Failed Executing ADODB Command object
(".Win32::OLE->LastError().")\nExecuting ADODB Command ->
$ldap_query\n";
    return 0;
  } else {
    $_[1] = $RS;
    return 1;
  }
}


> -----Original Message-----> From: Gomes, Rich [mailto:rich...@uniform.aramark.com] > Sent: Tuesday, April 26, 2011 11:06 AM> To: Steven Manross> Subject: RE: AD Page Size help> > use Win32::OLE qw(in);> use Data::Dumper;> > $Win32::OLE::Warn = 3;> my $strBase   =  "<LDAP://DC=mydomain,DC=com>;";> # To search the whole forest using the global catalog, > uncomment the following line:> # $strBase   =  "<GC://" . $strDomainDN . ">;";> > my $strFilter = "(&(objectclass=user)(objectcategory=person));";> my $strAttrs  = "name;";> my $strAttrs  = "distinguishedName;";> my $strScope  = "subtree";> > my $objConn = Win32::OLE->CreateObject("ADODB.Connection");> $objConn->{Provider} = "ADsDSOObject";> $objConn->Open;> #$ADOCmd->Properties->{"Page Size"}=10000; > #$objConn->Properties->{"Page Size"}=10000; > #$objADOcmd->Properties->{"Page Size"} = 10; > #$objConn->{Properties}->{"Page Size"} = 10; > #$objConn->Properties("Page Size")->{Value} = 10; > #$ADOrs->PageSize->{Value}=10000; #$objConn->PageSize->{Value}=10000;> my $objRS = Win32::OLE->new("ADODB.RecordSet");   >    $objRS->PageSize->{Value}=100;> > my $objRS = $objConn->Execute($strBase . $strFilter . > $strAttrs . $strScope); $objRS->MoveFirst; while (not $objRS->EOF) {> 	print $objRS->Fields(0)->Value,"\n";>     $objRS->MoveNext;> }> > -----Original Message-----> From: Steven Manross [mailto:ste...@manross.net]> Sent: Tuesday, April 26, 2011 2:02 PM> To: Gomes, Rich> Subject: RE: AD Page Size help> > Resend me the script, please, in it's current form..  > Obfuscate proprietary info (OUs, etc)> > Steven > > > -----Original Message-----> > From: Gomes, Rich [mailto:rich...@uniform.aramark.com]> > Sent: Tuesday, April 26, 2011 10:52 AM> > To: Gomes, Rich; Steven Manross;> > perl...@listserv.ActiveState.com> > Subject: RE: AD Page Size help> > > > Forgot to mention perl version:> > 5.8.9> > Only that far back due to incompatibility with some of Dave Roth's> > Win32 modules and newer versions of perl> > > > -----Original Message-----> > From: perl...@listserv.ActiveState.com> > [mailto:perl...@listserv.ActiveState.com] > On Behalf > > Of Gomes, Rich> > Sent: Tuesday, April 26, 2011 1:41 PM> > To: Steven Manross; perl...@listserv.ActiveState.com> > Subject: RE: AD Page Size help> > > > Here are the values from ntdsutil:> > > > ldap policy: Show Values> > > > Policy                          Current(New)> > > > MaxReceiveBuffer                        10485760> > MaxPageSize                     1000> > MaxResultSetSize                        262144> > > > > > So it definite looks as if I am hitting the PageSize limit as > > everything I query stops at 1000 results.> > > > So, I thought that setting this in the script would > temporarily allow > > you to get more results or is the only way to get more results to > > change it in AD itself?> > > > > > -----Original Message-----> > From: Steven Manross [mailto:ste...@manross.net]> > Sent: Tuesday, April 26, 2011 1:30 PM> > To: Gomes, Rich; perl...@listserv.ActiveState.com> > Subject: RE: AD Page Size help> > > > So, there is a difference between page size and size limit.  > > If you hit a problem with PageSize, the query grabs the first 1000 > > records and then calls it done (providing your MaxPageSize = 1000), > > without error.  You are getting a size limit error, which > means that > > something is prohibiting you from getting the number or size of > > results you want.> > > > HTH> > > > The KB article describes that "Absolute Limits" that AD will search > > with.> > > > Note that the:> > > > "MaxPageSize" is usually set to 1000 (how many records to send in a > > given chunk of data -- you can request lots of chunks as > long as they > > don't exceed the other maximums as well).  Setting "Page Size" to > > something <= 1000 fixes that.> > > > "MaxRecieveBuffer" is default set at 10485760 (10MB -- how > much actual > > data can I request back -- i.e. sending back 50 columns of data for > > 200000 records might get you there -- total guess)> > > > "MaxResultSetSize" is default set to 262144 (number of individual > > records you can request -- seems like a lot).> > > > If you can verify these values in your Active directory > > implementation, and respond with them, that would help.> > > > Can you also send the value of your $strAttrs variable, as I am > > confused by the thread below as it is referenced twice.> > It looks like you either want the 'distinguishedname' or > the 'name' -- > > neither should bet you anywhere close to 10MB, but the > > distinguishedname is much larger, and dependent on your ou > structure.> > > > P.S. What is your Activestate Perl version?> > > > Steven> > > > > -----Original Message-----> > > From: Gomes, Rich [mailto:rich...@uniform.aramark.com]> > > Sent: Tuesday, April 26, 2011 9:07 AM> > > To: Steven Manross; perl...@listserv.ActiveState.com> > > Subject: RE: AD Page Size help> > > > > > Well... by adding your suggestion, I noticed there was an > OU that I > > > has missed in my array.> > > Adding that OU to the array gave me the error I normally get.> > > It says there are 960 users in that OU. However if I do a> > Find in ADUC> > > on just that OU, it says there are 4268 users.> > > > > > I thought the whole point to setting the Page Size > variable was to > > > momentarily get around the search limits.> > > Is that not the case?> > > > > > > > > -----Original Message-----> > > From: Steven Manross [mailto:ste...@manross.net]> > > Sent: Tuesday, April 26, 2011 11:53 AM> > > To: Gomes, Rich; perl...@listserv.ActiveState.com> > > Subject: RE: AD Page Size help> > > > > > I would assume that if you are getting a "size limit" > > error, that you> > > are hitting a hard maximum that AD implements to make > sure that you > > > don't sit all day parsing through results and degrade> > performance on> > > this DC as a result.> > > > > > Your query is pulling back every user object in your AD> > infrastructure> > > (enabled, disabled, etc) if I am correctly identifying > your filter > > > below.> > > > > > my $strFilter = "(&(objectclass=user)(objectcategory=person));";> > > > > > How many users do you have in AD? (when you use the Array> > permutation> > > of this script (that works correctly), can you...> > > > > > print "total users in this OU: " . $objRS->{RecordCount} . "\n";> > > > > > ...to see how many users we are talking about?)> > > > > > If you dare, and you do indeed have tons of users in your> > AD, you can> > > change the hard max size limit because of your AD> > infrastructure size,> > > but it would probably be advisable to limit the scope of> > this change> > > to> > > 1 Domain Controller, or one Site, as this could pose a> > Security threat> > > in the form of a DOS attack on AD if you increase either of these > > > limits because you want to pull back all the users.  The> > article below> > > goes through making that change, but use it with care.> > > > > > As well, I am also wondering if you want "all the users" > > (enabled and> > > disabled) as part of this, as you could totally descope the> > disabled> > > users with a modified filter, and possibly reduce your > resultset to > > > the upper limits of the default "size limits" in AD.  If> > you really do> > > want "All the users", and pulling only the enabled ones> > gets you under> > > the size limit, you could definitely do a second search for the > > > disabled ones as I am sure that you'd want to handle them> > differently> > > than the enabled users.> > > > > > http://support.microsoft.com/kb/315071> > > > > > > > > You're hitting one of these two limits:> > > > > > MaxResultSetSize> > > MaxReceiveBuffer> > > > > > HTH> > > > > > Steven> > > > -----Original Message-----> > > > From: perl...@listserv.ActiveState.com> > > > [mailto:perl...@listserv.ActiveState.com]> > > On Behalf> > > > Of Gomes, Rich> > > > Sent: Tuesday, April 26, 2011 8:24 AM> > > > To: perl...@listserv.ActiveState.com> > > > Subject: RE: AD Page Size help> > > > > > > > So, a lot of people have given some great suggestions but I> > > am still> > > > unable to get this to work and am still confused.> > > > The nearest I have been able to come is to create an> > array with the> > > > different OU's that contain users within our domain.> > > > Anything without the array (just looking at the entire> > domain all at> > > > once) throws the error below.> > > > Using the array works but it seems pretty hackey. Plus I> > > will need to> > > > always be sure I have every OU that contains users in it at> > > all times.> > > > > > > > I really wanted this to be an exercise in understanding > the code.> > > > Why does this work with the array but not without?> > > > > > > > > > > > > > > > OLE exception from "Provider":> > > > > > > > The size limit for this request was exceeded.> > > > > > > > Win32::OLE(0.1709) error 0x80072023: "The size limit for> > > this request> > > > was exceeded"> > > >     in METHOD/PROPERTYGET "MoveNext" > > > > > > > > > > > > > > > > Thanks,> > > > Rich> > > > > > > > -----Original Message-----> > > > From: perl...@listserv.ActiveState.com> > > > [mailto:perl...@listserv.ActiveState.com]> > > On Behalf> > > > Of Joachim Thuau> > > > Sent: Friday, April 22, 2011 6:45 PM> > > > To: perl...@listserv.ActiveState.com> > > > Subject: RE: AD Page Size help> > > > > > > > I have had issues in the past where searching with a > "null base" > > > > inside AD yielded errors, but putting one level of OU in> > > the base made> > > > it work.> > > > (the first time I encountered that, it was with AD> > integration with> > > > apache). Maybe adjusting the base will yield different results.> > > > > > > > Thanks,> > > > Jok> > > > > > > > > -----Original Message-----> > > > > From: perl...@listserv.ActiveState.com> > > > [mailto:perl-> > > > > win3...@listserv.ActiveState.com] On Behalf Of> > > > Gomes, Rich> > > > > Sent: Thursday, April 21, 2011 8:18 AM> > > > > To: perl...@listserv.ActiveState.com> > > > > Subject: AD Page Size help> > > > > > > > > > I know this has been talked about a lot but I cannot seem> > > to get my> > > > > script to work.> > > > > I am trying to not hit the LDAP search limit but cannot> > > seem to get> > > > > the PageSize line correct> > > > > > > > > > > > > > > Any thoughts?> > > > > > > > > > > > > > > > > > > > > > > > > ______________________________________________________________________> > > > > _> > > > > ______> > > > > > > > > > my $strDomainDN = "DC=mydomain,DC=com"; use Win32::OLE qw(in);> > > > > > > > > > > > > > > $Win32::OLE::Warn = 3;> > > > > my $strBase   =  "<LDAP://" . $strDomainDN . ">;";> > > > > > > > > > > > > > > my $strFilter = > "(&(objectclass=user)(objectcategory=person));";> > > > > my $strAttrs  = "name;";> > > > > my $strAttrs  = "distinguishedName;"; my $strScope  = > "subtree";> > > > > > > > > > my $objConn = Win32::OLE->CreateObject("ADODB.Connection");> > > > > $objConn->{Provider} = "ADsDSOObject"; $objConn->Open;> > > > > > > > > > $objConn->{Properties}->{"Page Size"} = 100;> > > > > > > > > > my $objRS = $objConn->Execute($strBase . $strFilter . > > $strAttrs .> > > > > $strScope);> > > > > $objRS->MoveFirst;> > > > > while (not $objRS->EOF) {> > > > >     print $objRS->Fields(0)->Value,"\n";> > > > >     $objRS->MoveNext;> > > > > }> > > > > > > > > > > > > > > > > > > > ______________________________________________________________________> > > > > _> > > > > ________> > > > > > > > > > > > > > > > > > > > _______________________________________________> > > > > Perl-Win32-Admin mailing list> > > > > Perl...@listserv.ActiveState.com> > > > > To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs> > > > _______________________________________________> > > > Perl-Win32-Admin mailing list> > > > Perl...@listserv.ActiveState.com> > > > To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs> > > > _______________________________________________> > > > Perl-Win32-Admin mailing list> > > > Perl...@listserv.ActiveState.com> > > > To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs> > > > > > > > > _______________________________________________> > Perl-Win32-Admin mailing list> > Perl...@listserv.ActiveState.com> > To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs> > > 
_______________________________________________
Perl-Win32-Admin mailing list
Perl...@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs

Recent Messages in this Thread
Gomes, Rich Apr 26, 2011 05:52 pm
Steven Manross Apr 26, 2011 07:51 pm
A F Jun 29, 2011 04:48 am
Steven Manross Jun 29, 2011 06:05 am
A F Jul 01, 2011 03:05 am
Deans, Glenn (IT Solutions US) Jul 01, 2011 01:24 pm
Messages in this thread