Layer 7 Identity Management

Active Directory 1000 page limit and ldapsearch -E option

  • 1.  Active Directory 1000 page limit and ldapsearch -E option

    Posted 08-19-2016 12:19 PM

    Team,

     

    CA has a tech note how to refresh the Exchange Server objects with the CA Identity Management Solution using ldapsearch.   This process works well as an alternative to using the IMPS Manager GUI to refresh the entire Active Directory endpoint, to refresh knowledge for one section.

     

    How to update an Active Directory Endpoint with new exchange server details?  TEC1377116

    http://www.ca.com/us/support/ca-support-/product-content/knowledgebase-articles/tec1377116.aspx

     

    This query uses the modified ldapsearch.exe binary under the IMPS\bin folder, that has been updated to use a few additional flags.

     

    eTADSexchangeStores =  will instruct ldapsearch via IMPS service to query a select branch of an Active Directory domain for a list of MS Exchange Servers and Databases.

     

    eTExploreUpdateEtrust  = will instruct ldapsearch via IMPS service to update the IMPS pointer objects under the Active Directory branch with a multi-valued list of MS Exchange Servers in attribute of eTADSexchangeStores.  

     

    Note, it is very unusual, but there are some customers that have over 1000 MS Exchange server/db objects.   When this occurs, there may be a challenge with the standard OOTB ldap query to Active Directory from the IMPS Manager GUI.

     

    Active Directory by default imposes a soft limit of 1000 page limit.  This page limit may be increased, but it is not necessary, and not recommended to avoid impacting the performance of Active Directory by other 3rd party tools/processes.

    LDAP policies  Maximum page size supported for LDAP responses (1000 records)

    MaxPageSize is set too high

     

    Fortunately, it is possible to page with most LDAP client tools.

     

    The CA IM Provisioning server provides a modified ldapsearch.exe command for both Windows/Linux OS.   This ldapsearch version includes the -E option.    We will use the -E pr=size/noprompt to extend the page functionality of ldapsearch binary.

     

     

    -E [!]<ext>[=<extparam>] search extensions (! indicates criticality)
      [!]domainScope (domain scope)
      [!]mv=<filter> (matched values filter)
      [!]pr=<size>[/prompt|noprompt] (paged results/prompt)
      [!]subentries[=true|false] (subentries)
      [!]sync=ro[/<cookie>] (LDAP Sync refreshOnly)
      rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist)

     

     

    Example of ldapsearch.exe  w/o the -E option.   If there were more than 1000 objects, this operation would truncate at 1000.

     

    ldapsearch.exe -h imps001 -p 20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w Password01 -b "eTADSDirectoryName=Example_01_with_Full_Domain_Admin_Access,eTNamespaceName=ActiveDirectory,dc=im,dc=eta" -s base "(objectClass=eTADSDirectory)"              eTADSexchangeStores eTExploreUpdateEtrust

     

     

    Example of ldapsearch with the -E option to allow paging over 1000 objects.

    ldapsearch.exe -h imps001 -p 20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w Password01 -b "eTADSDirectoryName=Example_01_with_Full_Domain_Admin_Access,eTNamespaceName=ActiveDirectory,dc=im,dc=eta" -s base "(objectClass=eTADSDirectory)" -E pr=1000/noprompt eTADSexchangeStores eTExploreUpdateEtrust

     

     

     

    Note:  The -E option should follow after the base / objectClass filter has been defined to avoid warning message from ldapsearch of unknown switch.

     

     

    To confirm that IMPS server was updated with over 1000 objects, use Jxplorer or any other LDAP client tool, connect to IMPS main DSA (TCP 20394) and navigate to the Active Directory branch, view the multi-valued attribute of eTADSexchangeStores.   There should be over 1000+ objects of this attribute type.

     

     

    Below is a view of the Active Directory branches that the ldapsearch query will search.  This ldapsearch query presumes that the IMPS ADS endpoint service account has permissions to view this branch.    Use the MS tool of ADSI Edit to view and/or grant permissions if necessary (or grant access via the existing MS ADS Groups for MS Exchange,e.g. Discovery Management or Organizational Management).

     

     

     

    A view of the IMPS "pointer objects" of eTADSexchangeStores for MS Exchange Servers under the ADS Endpoint.

     

     

    2018-08-27:    ldapsearch CLI under LINUX OS for IMPS server does not appear to have the -E option.

    However, you can still use dxsearch CLI (on the same LINUX OS) to emulate the above command:

     

    usage: dxsearch [options] [filter [attributes...]]
    where:
    filter RFC-2254 compliant LDAP search filter
    attributes whitespace-separated list of attribute descriptions
    which may include:
    1.1 no attributes
    * all user attributes
    + all operational attributes
    Search options:
    -a deref one of never (default), always, search, or find
    -A retrieve attribute names only (no values)
    -b basedn base dn for search
    -B do not suppress printing of non-ASCII values
    -E [!]<ext>[=<extparam>] search extensions (! indicates criticality)
    [!]domainScope (domain scope)
    [!]mv=<filter> (matched values filter)
    [!]pr=<size>[/prompt|noprompt] (paged results/prompt)
    [!]subentries[=true|false] (subentries)
    [!]sync=ro[/<cookie>] (LDAP Sync refreshOnly)
    rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist)
    -F prefix URL prefix for files (default: file:///tmp/)
    -l limit time limit (in seconds, or "none" or "max") for search
    -L print responses in LDIFv1 format(-B is implied)
    -LL print responses in LDIF format without comments
    -LLL print responses in LDIF format without comments
    and version
    -s scope one of base, one, sub or children (search scope)
    -S attr sort the results by attribute `attr'
    -t path write files to directory specified by path (default: /tmp)
    -u include User Friendly entry names in the output
    -z limit size limit (in entries, or "none" or "max") for search
    Common options:
    -c continuous operation mode (do not stop on errors)
    -C chase referrals (anonymously)
    -d level set LDAP debugging level to `level'
    -D binddn bind DN
    -f file read operations from `file' rather than standard input
    -h host LDAP server
    -H URI LDAP Uniform Resource Indentifier(s)
    -M enable Manage DSA IT control (-MM to make critical)
    -n show what would be done but don't actually do it
    -p port port on server
    -P version procotol version (default: 3)
    -v run in verbose mode (diagnostics to standard output)
    -w passwd bind password (for simple authentication)
    -W prompt for bind password
    -x Simple authentication
    -y file Read password from file
    -Z Start TLS request (-ZZ to require successful response)

     

    Cheers,

     

    Alan