When retrieving large group memberships from AD you must use Microsoft's implementation of ranging. When the group membership exceeds the limit established in the domain controller (usually 1500 users) AD returns an empty result set in the member attribute and then adds a new attribute containing a partial result set. You must then submit multiple subsequent searches renaming this new attribute each time to retrieve the remainder of the result set. You can google on AD and ranging for more details. There are ways to disable this in AD as well but most AD administrators will refuse to do it.
-Jon C. Kidder American Electric Power Middleware Services Email: jckid...@aep.com Phone: 614-716-4970 -----Original Message----- From: openldap-technical-boun...@openldap.org [mailto:openldap-technical-boun...@openldap.org] On Behalf Of Sankar P Sent: Friday, April 11, 2014 2:08 AM To: Mark Pröhl Cc: openldap-technical@openldap.org Subject: Re: Getting the list of members in an AD group This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments. ********************************************************************** The group whose SID that I am trying to take is the default "Domain Users" group. The ldapsearch query too fails for that but for any other custom groups, the membership information is printed. So is there a different style that we should follow for getting the "Domain Users" group members ? 2014-04-10 16:20 GMT+05:30 Sankar P <sankar.curios...@gmail.com>: >> ldapsearch -H ldap://your_dc.example.com \ >> -b '<sid=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX>' \ >> -s base \ >> '(objectClass=*)' member >> > > oh okay. Thanks for your explanation. > > I changed my code to: > > struct timeval timeout = {10,0}; > char *attr_list[] = {"member", NULL}; > LDAPMessage *searchresult = NULL; > > gch = get_gch_from_queue(); > sts = ldap_search_ext_s(gch->ld, "<sid=S-...>", LDAP_SCOPE_BASE, > "(objectClass=*)", attr_list, 0, NULL, NULL, &timeout, LDAP_NO_LIMIT, > &searchresult); > > and this returns a status of LDAP_UNWILLING_TO_PERFORM > > What am I doing wrong ? > > -- > Sankar P > http://psankar.blogspot.com -- Sankar P http://psankar.blogspot.com
