| Author | Messages | |
AD000001290
Posts:0
 | | 09/22/2005 5:27 AM |
| Apologies for asking this question, since it's been posed before (?), but can anyone offer me a brief description of why AD only returns (by default) 1024 entries when an LDAP search is performed? Is it a question of performance? Why is the searcher not offered all records that meet the search criteria?
Questions have arisen as to why MS implemented a limit since (apparently), other LDAP implementations do not enforce these limits.
thanks,
neil
---------------------------------------
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
neil.ruston@xxxxxxxxxxxxx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| deji
Posts:262
| | 09/22/2005 6:02 AM |
| MS did not "implement" a limit. The paging is a function of the client doing
the LDAP query and conforms to the specs outlined in RFC 2696.
If you read the RFC, you will come to agree that, although RFCs are not
(strictly speaking) "standards", you are "expected" to page your LDAP
queries.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of
neil.ruston@xxxxxxxxxxxxx
Sent: Thu 9/22/2005 9:30 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] LDAP search limitations
Apologies for asking this question, since it's been posed before (?), but can
anyone offer me a brief description of why AD only returns (by default) 1024
entries when an LDAP search is performed? Is it a question of performance?
Why is the searcher not offered all records that meet the search criteria?
Questions have arisen as to why MS implemented a limit since (apparently),
other LDAP implementations do not enforce these limits.
thanks,
neil
---------------------------------------
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
neil.ruston@xxxxxxxxxxxxx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Alm@xxxx.yyy
| | 09/22/2005 6:46 AM |
| Sounds like you're also using an older version of Windows and hitting a different limit as I'd have expected AD to limit your results to 1000 (at a time).
To get more than that with .net or to work around the 1500 limit, you'll likely want to research ranging. Joe K is pretty good about this sort of thing. Maybe a direct ping or a note to the adsi newsgroups would get a better explanation.
Al
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of deji@xxxxxxxxxxxxxx
Sent: Thursday, September 22, 2005 1:41 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] LDAP search limitations
MS did not "implement" a limit. The paging is a function of the client doing the LDAP query and conforms to the specs outlined in RFC 2696.
If you read the RFC, you will come to agree that, although RFCs are not (strictly speaking) "standards", you are "expected" to page your LDAP queries.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of neil.ruston@xxxxxxxxxxxxx
Sent: Thu 9/22/2005 9:30 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] LDAP search limitations
Apologies for asking this question, since it's been posed before (?), but can anyone offer me a brief description of why AD only returns (by default) 1024 entries when an LDAP search is performed? Is it a question of performance?
Why is the searcher not offered all records that meet the search criteria?
Questions have arisen as to why MS implemented a limit since (apparently), other LDAP implementations do not enforce these limits.
thanks,
neil
---------------------------------------
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
neil.ruston@xxxxxxxxxxxxx
PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:824
| | 09/22/2005 7:31 AM |
| The limit is 1000 on 2K and 1500 on K3/ADAM. These values can be tweaked.
The general purpose reason is to conserve resources on the LDAP server.
Consider result sets have to be pulled into memory to be encoded to send
back to clients. If you have lots and lots of simultaneous queries with huge
resultsets you could quickly cause harm to an LDAP server as it runs low on
resources.
As to why MS did it and others didn't. Possibly the others are not thinking
properly about large scale or heavily loaded implementations.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Thursday, September 22, 2005 12:31 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] LDAP search limitations
Apologies for asking this question, since it's been posed before (?), but
can anyone offer me a brief description of why AD only returns (by default)
1024 entries when an LDAP search is performed? Is it a question of
performance? Why is the searcher not offered all records that meet the
search criteria?
Questions have arisen as to why MS implemented a limit since (apparently),
other LDAP implementations do not enforce these limits.
thanks,
neil
---------------------------------------
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
neil.ruston@xxxxxxxxxxxxx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Alm@xxxx.yyy
| | 09/23/2005 1:27 AM |
| Neil, I can vouch for some those implementations, but it's a matter of
what the server advertises vs. the client expectations in my opinion.
The client, if v3 compliant should read the capabilities and decide if
it will support it or not.
I've also seen plenty of browsers, programming languages (python comes
to mind) that have limited support for capabilities that are possible.
Were you planning to do anything in particular with the information or
is this just a FYI exercise?
Al
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Friday, September 23, 2005 5:11 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] LDAP search limitations
Thanks to those who responded and sorry for any confusion caused by
using the number 1024 and not 1000 :)
This article
http://support.microsoft.com/default.aspx?scid=kb;en-us;315071&sd=tech
implies that the pagelimit is 1000 in 2k (and 2k3), but the valuerange
is 1000 (1500 in 2k3). I was asking about the pagelimit which determines
the number of objects returned and not valuerange, which determines the
number of values returned per attribute.
The question stemmed from the fact that:
1. some ppl are not used to such limits being imposed by other LDAP
implementations 2. various LDAP clients/browsers do not support paging
or VLV.
Deji quoted a RFC regarding paging, but as we all know, RFCs are
guidelines and not standards. I don't believe that all clients have
adopted paging since as I state above, not all LDAP implementations
require it. I do however, appreciate that AD is not just an LDAP
repository nor is it just a database. There is a need therefore, to
"throttle" searches so that other operations are not jeopardised.
Thanks again,
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: 22 September 2005 19:44
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] LDAP search limitations
The limit is 1000 on 2K and 1500 on K3/ADAM. These values can be
tweaked.
The general purpose reason is to conserve resources on the LDAP server.
Consider result sets have to be pulled into memory to be encoded to send
back to clients. If you have lots and lots of simultaneous queries with
huge resultsets you could quickly cause harm to an LDAP server as it
runs low on resources.
As to why MS did it and others didn't. Possibly the others are not
thinking properly about large scale or heavily loaded implementations.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Thursday, September 22, 2005 12:31 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] LDAP search limitations
Apologies for asking this question, since it's been posed before (?),
but can anyone offer me a brief description of why AD only returns (by
default)
1024 entries when an LDAP search is performed? Is it a question of
performance? Why is the searcher not offered all records that meet the
search criteria?
Questions have arisen as to why MS implemented a limit since
(apparently), other LDAP implementations do not enforce these limits.
thanks,
neil
---------------------------------------
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
neil.ruston@xxxxxxxxxxxxx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further action in reliance on it. Email is not a secure method of
communication and Nomura International plc ('NIplc') will not, to the
extent permitted by law, accept responsibility or liability for (a) the
accuracy or completeness of, or (b) the presence of any virus, worm or
similar malicious or disabling code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. Unless otherwise stated this email: (1) is not, and
should not be treated or relied upon as, investment research; (2)
contains views or opinions that are solely those of the author and do
not necessarily represent those of NIplc; (3) is intended for
informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and regulated by the Financial Services Authority. Registered in
England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further action in reliance on it. Email is not a secure method of
communication and Nomura International plc ('NIplc') will not, to the
extent permitted by law, accept responsibility or liability for (a) the
accuracy or completeness of, or (b) the presence of any virus, worm or
similar malicious or disabling code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. Unless otherwise stated this email: (1) is not, and
should not be treated or relied upon as, investment research; (2)
contains views or opinions that are solely those of the author and do
not necessarily represent those of NIplc; (3) is intended for
informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and regulated by the Financial Services Authority. Registered in
England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of
companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:824
| | 09/23/2005 2:32 AM |
| Yep, I spaced, it is indeed 1000 by default on both systems. See note where
Tony pointed out my mistake as well.
I agree to both points 1 and 2 as well as the RFC comment. Unfortunately the
RFC is the best attempt at standardization. As more and more vendors pick up
on it, it becomes de facto standard.
As Eric pointed out to this list previously, apps that do not handle paging
or value ranging are actually dangerous in that they don't scale and
probably won't even be aware that they are missing values regardless of what
the limits are set to. Every system has to have some limit, no system has
infinite resources.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Friday, September 23, 2005 5:11 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] LDAP search limitations
Thanks to those who responded and sorry for any confusion caused by using
the number 1024 and not 1000 :)
This article
http://support.microsoft.com/default.aspx?scid=kb;en-us;315071&sd=tech
implies that the pagelimit is 1000 in 2k (and 2k3), but the valuerange is
1000 (1500 in 2k3). I was asking about the pagelimit which determines the
number of objects returned and not valuerange, which determines the number
of values returned per attribute.
The question stemmed from the fact that:
1. some ppl are not used to such limits being imposed by other LDAP
implementations 2. various LDAP clients/browsers do not support paging or
VLV.
Deji quoted a RFC regarding paging, but as we all know, RFCs are guidelines
and not standards. I don't believe that all clients have adopted paging
since as I state above, not all LDAP implementations require it. I do
however, appreciate that AD is not just an LDAP repository nor is it just a
database. There is a need therefore, to "throttle" searches so that other
operations are not jeopardised.
Thanks again,
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: 22 September 2005 19:44
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] LDAP search limitations
The limit is 1000 on 2K and 1500 on K3/ADAM. These values can be tweaked.
The general purpose reason is to conserve resources on the LDAP server.
Consider result sets have to be pulled into memory to be encoded to send
back to clients. If you have lots and lots of simultaneous queries with huge
resultsets you could quickly cause harm to an LDAP server as it runs low on
resources.
As to why MS did it and others didn't. Possibly the others are not thinking
properly about large scale or heavily loaded implementations.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Thursday, September 22, 2005 12:31 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] LDAP search limitations
Apologies for asking this question, since it's been posed before (?), but
can anyone offer me a brief description of why AD only returns (by default)
1024 entries when an LDAP search is performed? Is it a question of
performance? Why is the searcher not offered all records that meet the
search criteria?
Questions have arisen as to why MS implemented a limit since (apparently),
other LDAP implementations do not enforce these limits.
thanks,
neil
---------------------------------------
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
neil.ruston@xxxxxxxxxxxxx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001290
Posts:0
| | 09/23/2005 4:10 AM |
| Thanks Al.
This post was conceived out of a conversation with a guy who has dealt with LDAP implementations for a while now but had never touched upon AD.
He came to me with several fundamental "why" questions which I was unsure how to answer. (e.g. why set the page limit at 1000 and insist the client perform paging / VLV?) He wanted to change that value rather than write the code used to perform searches differently.
I now believe the answer to be more along the lines of the fact that AD is far more than just a database or LDAP repository and so should not be compared to say Oracle, or Sun One.
I therefore plan to feedback to the originator and see where that takes us :)
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Al Mulnick
Sent: 23 September 2005 14:29
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] LDAP search limitations
Neil, I can vouch for some those implementations, but it's a matter of
what the server advertises vs. the client expectations in my opinion.
The client, if v3 compliant should read the capabilities and decide if
it will support it or not.
I've also seen plenty of browsers, programming languages (python comes
to mind) that have limited support for capabilities that are possible.
Were you planning to do anything in particular with the information or
is this just a FYI exercise?
Al
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Friday, September 23, 2005 5:11 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] LDAP search limitations
Thanks to those who responded and sorry for any confusion caused by
using the number 1024 and not 1000 :)
This article
http://support.microsoft.com/default.aspx?scid=kb;en-us;315071&sd=tech
implies that the pagelimit is 1000 in 2k (and 2k3), but the valuerange
is 1000 (1500 in 2k3). I was asking about the pagelimit which determines
the number of objects returned and not valuerange, which determines the
number of values returned per attribute.
The question stemmed from the fact that:
1. some ppl are not used to such limits being imposed by other LDAP
implementations 2. various LDAP clients/browsers do not support paging
or VLV.
Deji quoted a RFC regarding paging, but as we all know, RFCs are
guidelines and not standards. I don't believe that all clients have
adopted paging since as I state above, not all LDAP implementations
require it. I do however, appreciate that AD is not just an LDAP
repository nor is it just a database. There is a need therefore, to
"throttle" searches so that other operations are not jeopardised.
Thanks again,
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: 22 September 2005 19:44
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] LDAP search limitations
The limit is 1000 on 2K and 1500 on K3/ADAM. These values can be
tweaked.
The general purpose reason is to conserve resources on the LDAP server.
Consider result sets have to be pulled into memory to be encoded to send
back to clients. If you have lots and lots of simultaneous queries with
huge resultsets you could quickly cause harm to an LDAP server as it
runs low on resources.
As to why MS did it and others didn't. Possibly the others are not
thinking properly about large scale or heavily loaded implementations.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Thursday, September 22, 2005 12:31 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] LDAP search limitations
Apologies for asking this question, since it's been posed before (?),
but can anyone offer me a brief description of why AD only returns (by
default)
1024 entries when an LDAP search is performed? Is it a question of
performance? Why is the searcher not offered all records that meet the
search criteria?
Questions have arisen as to why MS implemented a limit since
(apparently), other LDAP implementations do not enforce these limits.
thanks,
neil
---------------------------------------
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
neil.ruston@xxxxxxxxxxxxx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further action in reliance on it. Email is not a secure method of
communication and Nomura International plc ('NIplc') will not, to the
extent permitted by law, accept responsibility or liability for (a) the
accuracy or completeness of, or (b) the presence of any virus, worm or
similar malicious or disabling code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. Unless otherwise stated this email: (1) is not, and
should not be treated or relied upon as, investment research; (2)
contains views or opinions that are solely those of the author and do
not necessarily represent those of NIplc; (3) is intended for
informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and regulated by the Financial Services Authority. Registered in
England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further action in reliance on it. Email is not a secure method of
communication and Nomura International plc ('NIplc') will not, to the
extent permitted by law, accept responsibility or liability for (a) the
accuracy or completeness of, or (b) the presence of any virus, worm or
similar malicious or disabling code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. Unless otherwise stated this email: (1) is not, and
should not be treated or relied upon as, investment research; (2)
contains views or opinions that are solely those of the author and do
not necessarily represent those of NIplc; (3) is intended for
informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and regulated by the Financial Services Authority. Registered in
England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of
companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| TonyTest
Posts:0
| | 09/23/2005 4:14 AM |
| Hey Joe
I'm missing something here, so hopefully you can clarify it for me.
MaxPageSize is set at 1000 in both Windows 2000 and 2003. MaxValRange
increased from 1000 in 2K to 1500 in 2K3. My understanding is that the
MaxPageSize corresponds to the maximum number of objects returned in a
single search result, whereas MaxValRange is all about the number of
values returned in a search result for a single attribute.
I would have thought Neil's query was more about the MaxPageSize?
Tony
PS. Happy to to discuss this over a bottle of decent red wine with you
and the others next week. :-)
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Friday, 23 September 2005 6:44 a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] LDAP search limitations
The limit is 1000 on 2K and 1500 on K3/ADAM. These values can be
tweaked.
The general purpose reason is to conserve resources on the LDAP server.
Consider result sets have to be pulled into memory to be encoded to send
back to clients. If you have lots and lots of simultaneous queries with
huge resultsets you could quickly cause harm to an LDAP server as it
runs low on resources.
As to why MS did it and others didn't. Possibly the others are not
thinking properly about large scale or heavily loaded implementations.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Thursday, September 22, 2005 12:31 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] LDAP search limitations
Apologies for asking this question, since it's been posed before (?),
but can anyone offer me a brief description of why AD only returns (by
default)
1024 entries when an LDAP search is performed? Is it a question of
performance? Why is the searcher not offered all records that meet the
search criteria?
Questions have arisen as to why MS implemented a limit since
(apparently), other LDAP implementations do not enforce these limits.
thanks,
neil
---------------------------------------
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
neil.ruston@xxxxxxxxxxxxx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further action in reliance on it. Email is not a secure method of
communication and Nomura International plc ('NIplc') will not, to the
extent permitted by law, accept responsibility or liability for (a) the
accuracy or completeness of, or (b) the presence of any virus, worm or
similar malicious or disabling code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. Unless otherwise stated this email: (1) is not, and
should not be treated or relied upon as, investment research; (2)
contains views or opinions that are solely those of the author and do
not necessarily represent those of NIplc; (3) is intended for
informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and regulated by the Financial Services Authority. Registered in
England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
########################################################################
####
This e-mail message has been scanned for Viruses and Content and cleared
by NetIQ MailMarshal at Gen-i
########################################################################
####
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:824
| | 09/23/2005 5:35 AM |
| Sorry no, I am on crack.
I was thinking maxvals for ranging and applied it to max objects for a page.
It is definitely 1000 objects per page just like in 2K. I was just
explaining yet again to someone at work why we need to keep DL sizes under
1000 direct members on 2K DCs. I seem to be thinking a lot about Exchange
specific AD stuff as of late.
On the positive side, the reasoning is the same for both limits. :o)
Looking forward to the wine and beer and mixed drinks and just plain
relaxing and not running 10-20 hours every day and then sleeping the
remainder. The next time I sign a book deal it will be after I have written
the book. Writing part time to a deadline (especially one that gets moved
up) is equivalent to saying you don't want a personal life. :o)
You should probably be getting on a plane pretty soon to get here huh? ;o)
Thanks for catching my mistake.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony Murray
Sent: Friday, September 23, 2005 12:13 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] LDAP search limitations
Hey Joe
I'm missing something here, so hopefully you can clarify it for me.
MaxPageSize is set at 1000 in both Windows 2000 and 2003. MaxValRange
increased from 1000 in 2K to 1500 in 2K3. My understanding is that the
MaxPageSize corresponds to the maximum number of objects returned in a
single search result, whereas MaxValRange is all about the number of values
returned in a search result for a single attribute.
I would have thought Neil's query was more about the MaxPageSize?
Tony
PS. Happy to to discuss this over a bottle of decent red wine with you and
the others next week. :-)
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Friday, 23 September 2005 6:44 a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] LDAP search limitations
The limit is 1000 on 2K and 1500 on K3/ADAM. These values can be tweaked.
The general purpose reason is to conserve resources on the LDAP server.
Consider result sets have to be pulled into memory to be encoded to send
back to clients. If you have lots and lots of simultaneous queries with huge
resultsets you could quickly cause harm to an LDAP server as it runs low on
resources.
As to why MS did it and others didn't. Possibly the others are not thinking
properly about large scale or heavily loaded implementations.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Thursday, September 22, 2005 12:31 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] LDAP search limitations
Apologies for asking this question, since it's been posed before (?), but
can anyone offer me a brief description of why AD only returns (by
default)
1024 entries when an LDAP search is performed? Is it a question of
performance? Why is the searcher not offered all records that meet the
search criteria?
Questions have arisen as to why MS implemented a limit since (apparently),
other LDAP implementations do not enforce these limits.
thanks,
neil
---------------------------------------
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
neil.ruston@xxxxxxxxxxxxx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. Unless otherwise stated this email: (1) is not, and
should not be treated or relied upon as, investment research; (2) contains
views or opinions that are solely those of the author and do not necessarily
represent those of NIplc; (3) is intended for informational purposes only
and is not a recommendation, solicitation or offer to buy or sell securities
or related financial instruments. NIplc does not provide investment
services to private customers. Authorised and regulated by the Financial
Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
########################################################################
####
This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i
########################################################################
####
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001290
Posts:0
| | 09/23/2005 9:11 AM |
| Thanks to those who responded and sorry for any confusion caused by using the number 1024 and not 1000 :)
This article http://support.microsoft.com/default.aspx?scid=kb;en-us;315071&sd=tech implies that the pagelimit is 1000 in 2k (and 2k3), but the valuerange is 1000 (1500 in 2k3). I was asking about the pagelimit which determines the number of objects returned and not valuerange, which determines the number of values returned per attribute.
The question stemmed from the fact that:
1. some ppl are not used to such limits being imposed by other LDAP implementations
2. various LDAP clients/browsers do not support paging or VLV.
Deji quoted a RFC regarding paging, but as we all know, RFCs are guidelines and not standards. I don't believe that all clients have adopted paging since as I state above, not all LDAP implementations require it. I do however, appreciate that AD is not just an LDAP repository nor is it just a database. There is a need therefore, to "throttle" searches so that other operations are not jeopardised.
Thanks again,
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: 22 September 2005 19:44
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] LDAP search limitations
The limit is 1000 on 2K and 1500 on K3/ADAM. These values can be tweaked.
The general purpose reason is to conserve resources on the LDAP server.
Consider result sets have to be pulled into memory to be encoded to send
back to clients. If you have lots and lots of simultaneous queries with huge
resultsets you could quickly cause harm to an LDAP server as it runs low on
resources.
As to why MS did it and others didn't. Possibly the others are not thinking
properly about large scale or heavily loaded implementations.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Thursday, September 22, 2005 12:31 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] LDAP search limitations
Apologies for asking this question, since it's been posed before (?), but
can anyone offer me a brief description of why AD only returns (by default)
1024 entries when an LDAP search is performed? Is it a question of
performance? Why is the searcher not offered all records that meet the
search criteria?
Questions have arisen as to why MS implemented a limit since (apparently),
other LDAP implementations do not enforce these limits.
thanks,
neil
---------------------------------------
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
neil.ruston@xxxxxxxxxxxxx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|