ldap search exceed limit

Perhaps. I think about changing the bulk import process to get around this problem. But it would be a little bit dirty. It would split the import process into many import groups.
1. import all users with usernamens starting with “a”.
2. import all users with usernamens starting with “b”.
3. import all users with usernamens starting with “c”.
…
24. import all users with usernamens starting with “z”.
25. import all users with usernamens starting with “0”.
…
34. import all users with usernamens starting with “9”.

This would help if there are not more than 1000 users per group. But it is really dirty. *shiver*

That is a good idea! I wanted to use some of our security groups but some of them are in a different domain which is causing issues.

Great idea about using usernames. It is dirty but would word. That or figure out paging.

The reason for our problem is, that the PHP LDAP extension doesn’t support paging!!! There are patches available, but that’s not an option for most PHP users.

Hi,
you can change/adapt adLDAP function on active-directory-integration/ad_ldap/adLDAP.php line 748

change 1000 by limit of server

/**
     * Get group members by primaryGroupID
     * Use this to get all users of for example "Domain Users"
     * @param integer $pgid
     * @param array $fields
     */
    public function group_members_by_primarygroupid($pgid= NULL, $fields = NULL)
    {
    	if (!$this->_bind){ return (false); }

    	if ($pgid===NULL){ return (false); }
		// enable pagination with a page size of 1000.
        $pageSize = 1000;
		$user_array=array();
		$users=array();

		$filter="(&(objectCategory=user)(primarygroupid=".$pgid."))";

 $v=0;
  $sr=@ldap_search($this->_conn,$this->_base_dn,$filter,array('dn'));
        $countResult        = ldap_count_entries($this->_conn,$sr); 

IF($countResult == 1000 OR $countResult == 1500)
{
    // loop trough the number 97-122 (ASCII number for the characters a-z)
    For($a=97;$a<=122;$a++)
    {
        // translate the number to a character
        $character            = chr($a);
        // the new search filter withs returns all users with a last name starting with $character
        $filter            = "(&(sn=$character*)(objectCategory=user)(primarygroupid=".$pgid."))";
		$results        = ldap_search($this->_conn, $this->_base_dn, $filter);
        $countResult2    = ldap_count_entries($this->_conn,$results); 

		// See if the search for all users starting with a specific character still hits the search limit
        // if so than do a new search to find all the users where the last name starts with "aa" and
        // than with "ab", "ac" etc. etc
        // In the best case we can now find 675.324 users per group when the search limit is 1000
        // ((26 * 999  for the fist character) * 26 for the second character)
        // and 1.013.324 when the search limit is 1500
        If($countResult2 == 1000 or $countResult2 == 1500)
        {
            For($b=97;$b<=122;$b++)
            {
                $character2    = chr($b);
                $filter2    = "(&(sn=$character$character2*)(objectCategory=user)(primarygroupid=".$pgid."))";
                $results2    = ldap_search($this->_conn, $this->_base_dn, $filter2);
                $count2        = ldap_count_entries($this->_conn,$results2);
                $users2    = ldap_get_entries($this->_conn,$results2);            

				$users = array_merge($users, $users2);
            }
        }
        Else
        {
            $users1            = ldap_get_entries($this->_conn,$results);
            $users = array_merge($users, $users1);
        }
    }
}
else
{
     $users1            = ldap_get_entries($this->_conn,$startResults);
     $users = array_merge($users, $users1);
} 

		if (!is_array($users)) {
            return (false);
        }

        for ($i=0; $i<count($users); $i++){
             $filter="(&(objectCategory=person)(distinguishedName=".$this->ldap_slashes($users[$i]['dn'])."))";
             $fields = array("samaccountname", "distinguishedname", "objectClass");
             $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
             $entries = ldap_get_entries($this->_conn, $sr);

             // not a person, look for a group
             if ($entries['count'] == 0 && $recursive == true) {
                $filter="(&(objectCategory=group)(distinguishedName=".$this->ldap_slashes($users[$i]['dn'])."))";
                $fields = array("samaccountname");
                $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
                $entries = ldap_get_entries($this->_conn, $sr);
                if (!isset($entries[0]['samaccountname'][0])) {
                    continue;
                }

                $sub_users = $this->group_members($entries[0]['samaccountname'][0], $recursive);
                if (is_array($sub_users)) {
                    $user_array = array_merge($user_array, $sub_users);
                    $user_array = array_unique($user_array);
                }
                continue;
             } 

             if ($entries[0]['samaccountname'][0] === NULL && $entries[0]['distinguishedname'][0] !== NULL) {
                 $user_array[] = $entries[0]['distinguishedname'][0];
             }
             elseif ($entries[0]['samaccountname'][0] !== NULL) {
                $user_array[] = $entries[0]['samaccountname'][0];
             }
        }
        return ($user_array);
    }

Hi alilou,
that’s a possible solution. BTW: your code has an error: $startResult is never initialized. Did you mean $sr?

But I found that paging is supported by php since 5.4. I think I’ll add support for this. It looks like the best solution.

yes $sr !! sorry !! I have php 5.3.14 and i can’t simply change the version.

I think the best solution solution is to add the two solutions
if(function_exists(ldap_control_paged_result)) …….

Argh! Have to think about adding both solutions.

This is resolved in delevopment version 1.1.5dev: https://downloads.www.ads-software.com/plugin/active-directory-integration.zip

The solution works only if PHP 5.4.0 or above is used.

Works great