Fedora directory users - Mar 2009 - FDS and PagedResultsControl

Hi all,

Normal users on the directory are subject to an administrative limit as 
to the size of the result sets returned, which in our case has defaulted 
to 50.

I have to periodically query the directory and have all results 
returned, in order to perform an operation on all users periodically.

As I understand it, I can achieve this using the PagedResultsControl (in 
Java), which returns results in small chunks rather than one big blob.

When I try to use this control, I get the error:

LDAP: error code 12 - Unavailable Critical Extension

I understand from this error message that the paged control is not 
supported by FDS?

Before trying to get PagedResultsControl to work, I need to clarify at 
the outset: Am I approaching this the right way?

Is there an alternative method I should be using to return large result 
sets, without being forced to receive all results in one big blob, 
triggering administrative limits?

Regards,
Graham
--

Graham Leggett wrote:
> 
> Normal users on the directory are subject to an administrative limit as
> to the size of the result sets returned, which in our case has defaulted
> to 50.
> 
> I have to periodically query the directory and have all results
> returned, in order to perform an operation on all users periodically.
> 
> As I understand it, I can achieve this using the PagedResultsControl (in
> Java), which returns results in small chunks rather than one big blob
Note that the PagedResultsControl does not circumvent administrative
limits on all LDAP server implementations. It does on MS Active
Directory. But I consider this to be a security flaw.

Ciao, Michael.

Graham Leggett wrote:
> Hi all,
>
> Normal users on the directory are subject to an administrative limit 
> as to the size of the result sets returned, which in our case has 
> defaulted to 50.
>
> I have to periodically query the directory and have all results 
> returned, in order to perform an operation on all users periodically.
>
> As I understand it, I can achieve this using the PagedResultsControl 
> (in Java), which returns results in small chunks rather than one big 
> blob.
>
> When I try to use this control, I get the error:
>
> LDAP: error code 12 - Unavailable Critical Extension
>
> I understand from this error message that the paged control is not 
> supported by FDS?
>
> Before trying to get PagedResultsControl to work, I need to clarify at 
> the outset: Am I approaching this the right way?
>
> Is there an alternative method I should be using to return large 
> result sets, without being forced to receive all results in one big 
> blob, triggering administrative limits?
You could also create a special administrative user account that''s used
only for this purpose, and increase the size, time, and lookthrough 
limits on this account only.  
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html

If you need paging, you could use Virtual List View (VLV aka "Browsing 
Index") - see 
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Indexes.html 
- look for Browsing Index
>
> Regards,
> Graham
> -- 
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

> Graham Leggett wrote:
>>
>> Normal users on the directory are subject to an administrative limit 
>> as to the size of the result sets returned, which in our case has 
>> defaulted to 50.
>>
>> I have to periodically query the directory and have all results 
>> returned, in order to perform an operation on all users periodically.
>>
>> As I understand it, I can achieve this using the PagedResultsControl 
>> (in Java), which returns results in small chunks rather than one big 
>> blob.
The paged results control isn''t the way to work around the size limit 
(and there''s also the fact that it isn''t supported !).
As Rich said, configure the server to override the limit for the user 
you''re binding as (the directory manager
always overrides the limit btw). There''s no problem with receiving the 
results ''all in one big blob'' because TCP
backpressure ensures that entries are not sent to the client until 
they''re read by the application (modulo the TCP
window size and OS buffering).

Hi Graham,
>From your last email about event notification, it seems like you''re
using
JNDI.

Take a look at the JAVA API document on javax.naming.directory.DirContext.
There''s a method called search which takes a SearchControls object. 
Within
the SearchControls object you can set search count, timeout and search level
(onelevel, subtree, object)

- David

On Mon, Mar 2, 2009 at 6:38 AM, Graham Leggett <minfrin@sharp.fm> wrote:
> Hi all,
>
> Normal users on the directory are subject to an administrative limit as to
> the size of the result sets returned, which in our case has defaulted to
50.
>
> I have to periodically query the directory and have all results returned,
> in order to perform an operation on all users periodically.
>
> As I understand it, I can achieve this using the PagedResultsControl (in
> Java), which returns results in small chunks rather than one big blob.
>
> When I try to use this control, I get the error:
>
> LDAP: error code 12 - Unavailable Critical Extension
>
> I understand from this error message that the paged control is not
> supported by FDS?
>
> Before trying to get PagedResultsControl to work, I need to clarify at the
> outset: Am I approaching this the right way?
>
> Is there an alternative method I should be using to return large result
> sets, without being forced to receive all results in one big blob,
> triggering administrative limits?
>
> Regards,
> Graham
> --
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>