Here is a script with the jist of using a paged search. I chopped it up from
something I am currently using so it does work. :)
use Net::LDAP;
use Net::LDAP::Control::Paged;
use Net::LDAP::Constant qw(LDAP_CONTROL_PAGED);
my $ad_ldap = Net::LDAP->new($ad_ldap_server, version => 3) or die "unable to co
nnect to ad ldap: $@";
my $result = $ad_ldap->bind($ad_ldap_dn, password => $ad_ldap_password);
die "error binding to ad ldap: ",$result->error if ($result->code);
# AD requires paged searches to return more than 1000 objects
my $page = Net::LDAP::Control::Paged->new(size => 500);
my $cookie;
my @args = (
'base' => 'dc=microsoft,dc=local',
'filter' => '(&(objectclass=person)(!(objectclass=computer)))',
'attrs' => [ 'cn' ],
'control' => [ $page ],
);
while ($ad_search = $ad_ldap->search(@args)) {
# fatal on search error
die "error searching ad ldap: ",$ad_search->error if ($ad_search->code);
while (my $ad_user = $ad_search->shift_entry) {
# handle next search page
my ($resp) = $ad_search->control(LDAP_CONTROL_PAGED);
$cookie = $resp->cookie or last;
$page->cookie($cookie);
}
# be nice to the server and stop the search if we still have a cookie
if ($cookie) {
$page->cookie($cookie);
$page->size(0);
$ad_ldap->search(@args);
}
$ad_ldap->unbind;
----- Original Message -----
From: Rick Tatem <[EMAIL PROTECTED]>
Date: Tuesday, July 6, 2004 6:19 am
Subject: RE: Active Directory and LDAP sizelimit
> The 1000 limit on the result set is due to the 'PageSize' limit.
> A paged query should return them all (just not all at once... oh,
> and provided that all the Ous are actually searchable by your
> process).
> I've not used it, but you should probably try
> Net::LDAP::Control::Paged
> http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP/Control/Paged.pm
>
> Rick
> ---
> Rick Tatem
>
>
> -----Original Message-----
> From: Jensen, John T [EMAIL PROTECTED]
> Sent: Monday, July 05, 2004 10:38 PM
> To: Johnson, Brian K; Jensen, John T; [EMAIL PROTECTED]
> Subject: RE: Active Directory and LDAP sizelimit
>
> Thanks, Brian. I had finally got someone to point me to ntdsutil -
> now I'm trying to make it work. The various on-line things from
> Microsoft aren't that informative. But at least I now know where
> to look.
>
>
>
> jj
>
> John Thayer Jensen, System Administrator Computing Service, School
> of Business University of Auckland
>
> Room 256, 15 Wynyard Street
>
> voice: +64 9 373-7599 ext 87543
> FAX: +64 9 373-7696
> mobile: +64 21 049-7702
> quickdial: 60001
>
> http://staff.business.auckland.ac.nz/~j.jensen
> -----Original Message-----
> From: Johnson, Brian K [EMAIL PROTECTED]
> Sent: Tuesday, 6 July 2004 2:15 p.m.
> To: Jensen, John T; [EMAIL PROTECTED]
> Subject: RE: Active Directory and LDAP sizelimit
>
> Hi,
>
> Windows 2000 AD has a default limit of 1000. I THINK you can
> change this with the ntdsutil.exe utility on a domain controller.
> This utility can be used to examine and set LDAP parameters in AD.
> I THINK that these settings are global for your entire forest. The
> Q article:
> http://support.microsoft.com/?kbid=271088 goes into detail as to
> how to use this utility.
> http://www.jsiinc.com/SUBJ/tip4600/rh4678.htm explains the units
> of the various AD LDAP parameters. Also, Active Directory supports
> paged searches....which is what I do to retrieve more than 1000
> objects. Using paged controls I routinely retrieve 20-30K objects
> via a single query from my AD forest which has the default setting
> of 1000 for MaxPageSize.
>
>
> -----Original Message-----
> From: Jensen, John T [EMAIL PROTECTED]
> Sent: Monday, July 05, 2004 3:40 PM
> To: [EMAIL PROTECTED]
> Subject: Active Directory and LDAP sizelimit
>
> From:
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-
> us/vbcon/html/vbtsksearchingactivedirectoryhierarchy.asp
>
> "The maximum number of entries to return by setting the SizeLimit
> property.
> Note If the maximum number of returned entries and TimeLimit
> properties exceed limitations set on the server, the server
> settings will override the component settings."
>
> If I set sizelimit in the Perl script to something LESS than 1000,
> that works. I get the smaller number of returns. If I set it to
> anything more, or to 0 (which is supposed to give unlimited
> returns), I can only get 1000.
>
> I believe Perl and Net::LDAP are working properly. I think the
> problem is this mysterious "limitations set on the server" that is
> stopping me.
> And I can't figure out how to change that.
>
>
>
> jj
>
> John Thayer Jensen, System Administrator Computing Service, School
> of Business University of Auckland
>
> Room 256, 15 Wynyard Street
>
> voice: +64 9 373-7599 ext 87543
> FAX: +64 9 373-7696
> mobile: +64 21 049-7702
> quickdial: 60001
>
> http://staff.business.auckland.ac.nz/~j.jensen
> -----Original Message-----
> From: Jensen, John T [EMAIL PROTECTED]
> Sent: Tuesday, 6 July 2004 9:23 a.m.
> To: [EMAIL PROTECTED]
> Subject: RE: Scope=>'sub' not working??
>
> Stranger and stranger. I just did a comparison of the two searches.
> The top-down one gets 265 out of 651 objects in the OU. I am
> beginning to suspect some limit on the number of returned objects
> allowed. I seem to recall once hitting a 1000-object limit on AD
> LDAP returns - which is killing for ADs of our size.
>
>
>
> jj
>
> John Thayer Jensen, System Administrator Computing Service, School
> of Business University of Auckland
>
> Room 256, 15 Wynyard Street
>
> voice: +64 9 373-7599 ext 87543
> FAX: +64 9 373-7696
> mobile: +64 21 049-7702
> quickdial: 60001
>
> http://staff.business.auckland.ac.nz/~j.jensen
> -----Original Message-----
> From: Jensen, John T
> Sent: Tuesday, 6 July 2004 8:34 a.m.
> To: [EMAIL PROTECTED]
> Subject: Scope=>'sub' not working??
>
> I'm trying to search the whole of our AD for computer objects
> (using the Perl Net::LDAP module). I just put in as searchbase:
>
> my $searchbase='DC=com,DC=unet,DC=auckland,DC=ac,DC=nz';
>
> Looking for computers so I put in:
>
> my $filter="(&(objectclass=User)(objectcategory=computer))";
>
> I do a search:
>
> my
> $results=$ad->search(base=>$searchbase,filter=>$filter,attrs=>$attrs);
>
> (scope=>'sub' is supposed to be the default, but I have also tried
> with:
> my
> $results=$ad-
> >search(base=>$searchbase,filter=>$filter,scope=>'sub',attrs=>$attrs);
>
> )
>
> I don't get everything. If I put in a full OU:
>
> my $searchbase='OU=Staff Computers,OU=COM
> Computers,DC=com,DC=unet,DC=auckland,DC=ac,DC=nz';
> I get objects under that OU. I haven't yet looked to see whether
> my scope=>'sub' search gets some of those computers or not. But I
> don't want to look under a particular OU; I want to look in the
> whole AD - one of the things I am looking for is computers that
> have got into the wrong location.
>
>
>
> jj
>
> John Thayer Jensen, System Administrator Computing Service, School
> of Business University of Auckland
>
> Room 256, 15 Wynyard Street
>
> voice: +64 9 373-7599 ext 87543
> FAX: +64 9 373-7696
> mobile: +64 21 049-7702
> quickdial: 60001
>
> http://staff.business.auckland.ac.nz/~j.jensen
>
>
>
