| Author | Messages | |
dmitrig
Posts:59
 | | 04/18/2008 9:47 AM |
| The change will be picked up immediately, without reboot.
However, this policy is only enforced at *connect* time. I.e. if you have existing connections that violate the policy, they will not be kicked out.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Shaun Little
Sent: Friday, April 18, 2008 5:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing MaxPageSize
I have a quick question, I have just made a change to the maxconnections
attribute in the queryPolicy class using LDP.
Will the change take effect after a set period of time or is a reboot of
the server required?
Thanks
Shaun
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Arkills
Sent: 17 April 2008 17:48
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing MaxPageSize
OK, but that doesn't change my objection to it. The net effect of your
proposed solution is to remove any server-imposed size limit.
Effectively this is the same as option #2 in your list, except you now
have an unlimited maxpagesize.
Stepping back a bit, let me say a few things about how other LDAP
directories handle this, and maybe this will inspire what I'd think
would be better solutions. First, a review of how AD handles size
limits, then an example of another LDAP directory.
So AD has many limits which together weave together into the overall
picture. There's a server-side limit (called MaxPageSize), which by
default is 1000. There's a second server-side limit which you might
think about as an absolute maximum server-side limit (called
MaxResultSetSize), which by default is 262144. I see that this latter
limit hasn't been noted yet in the thread. There's also the possibility
of a client side size limit which all depends on what the client sets it
to be. AD imposes the lower of the client size limit or the server size
limit unless the paging control is invoked. If the paging control is
invoked, then it imposes the lower of the client size limit or the
absolute maximum server-side limit but it pages the results back to the
client. In other words, AD uses the paging control as a way for clients
to get around a soft limit. But it still has a hard upper limit. As a
side note, as far as I know AD is unique in this regard among LDAP
directories; no other LDAP directories employ the paging control as a
way to "get around" a server size limit. One of the annoying things here
is that the term MaxPageSize is misleading--you don't have to be doing
any paging to be subject to that size limit.
Take openldap as another example. With OpenLDAP, there is a default
server size limit. I think it's 500, if I recall correctly. As with all
ldap clients there's also a client side size limit. Paging is not used
as a way to circumvent the limit. Instead, you can set a different size
limit on a per-user basis. So my authentication token might be given a
server size limit of 150000, but everyone else is subject to the default
of 500. Like AD, the net limit is the lower of the client side limit and
the server side limit. If you used paging, it would just break that
result set into smaller pieces, but it could not be used to circumvent
any of the limits. This approach is extremely similar to how other LDAP
directories handle size limits.
I'm not sure I understand why Microsoft designed their size limit
approach to be so different from every other LDAP directory on the
planet. However, I also don't see that your proposed solution to the
stated problem makes sense (it also doesn't address the
MaxResultSetSize). I'd think a more sensible solution would be to
propose that certain users could have a different size limit which
overrode the MaxPageSize and possibly the MaxResultSetSize. Such a
solution would be a minor change in architecture but I'd think it would
be doable. Currently the way the size limits are set is via a
queryPolicy object in the config partition. There's a default query
policy object, but you can create additional ones. You'd do so, with the
limits you'd want, but the missing pieces would be:
a) being able to associate that policy object with a user object (this
might require a schema change)
b) having the AD code honor this new behavior
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
> Sent: Tuesday, April 15, 2008 12:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Changing MaxPageSize
>
> If this proposal is implemented, then no changes are required to
client
> apps. They don't need to pass any new controls.
>
> Here's the scenario:
>
> You have an old ldap app that does not know how to page.
> Your domain grows, and the app stops working because it can only get
> 1000 users max.
>
> What do you do? Currently, you only have two options:
> 1. Try to fix the app.
> 2. Increase MaxPageSize.
>
> 1 is often impossible. 2 is generally frowned upon (e.g. in this
> thread). You are out of options!
>
> I am trying to propose a new option, that would allow to do paging at
> server, while presenting the search results to the client as a regular
> ldap search result.
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Brian Arkills
> Sent: Tuesday, April 15, 2008 11:58 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Changing MaxPageSize
>
> I'm somewhat new to this list, but very familiar with both AD and LDAP
> (see http://www.amazon.com/LDAP-Directories-Explained-Introduction-
>
Independent/dp/020178792X/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=120828514
> 0&sr=8-1).
>
> I don't understand the strategy of this proposal. Here's what I'm
> hearing:
>
> -Client has software which doesn't support the LDAP paging control
> that's been around for years and which is supported by lots of ldap-
> based software.
> -Instead of getting the software vendor to implement and support that
> well-supported LDAP paging control, there's an idea that the client
> would like Microsoft to implement a *new* LDAP control which
> circumvents the maxpagesize that the server enforces on all LDAP
search
> requests.
>
> **If the software vendor won't support the well-known LDAP paging
> control, how are you going to get them to support a brand-new LDAP
> paging control?**
>
> Put another way, all LDAP searches of AD are currently subject to the
> server-side maxpagesize limit (this is a common thing to do in LDAP
> directories). There are many good reasons for such a limit to be in
> place, so you have little to no chance of convincing Microsoft (or
many
> of us) that completely removing that limit is a good idea. So this
> means you need an LDAP control extension to allow certain requestors
to
> circumvent that limit. But if you have such a control, then anyone can
> call it which means you've lost the value of having a limit at all. So
> then your control needs some authorization logic built into it.
>
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Joe Kaplan
> > Sent: Tuesday, April 15, 2008 10:05 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Changing MaxPageSize
> >
> > I'll make sure this gets brought up during one of the chalk talks
> > unless I
> > happen to not be there, but if I can't, I'll ask someone else to
> bring
> > it
> > up.
> >
> > We did just discuss AD/LDS on Vista. 
> >
> > Joe K.
> >
> > ----- Original Message -----
> > From: "Dmitri Gavrilov" <dmitrig@microsoft.com>
> > To: <ActiveDir@mail.activedir.org>
> > Sent: Tuesday, April 15, 2008 11:28 AM
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> >
> > Yes, something like this.
> > Yes, it will consume server memory, while the search is being run.
> But
> > there's nothing new here - you can already do this today, if you
> > request
> > lots of large objects. We have proper controls (max output packet
> size,
> > max
> > query duration, etc) to protect server.
> >
> > Yes, if client is paging, then we won't use this mechanism (double-
> > paging
> > looks scary to me). Client's page sizes would have to be under the
> > "server
> > maxPageSize" value.
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef Kazimer
> > Sent: Tuesday, April 15, 2008 9:17 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Changing MaxPageSize
> >
> > Dmitri,
> >
> > So it would be like an intermediary buffer between the client and
> > server,
> > but on the server itself?
> >
> > Client -> Server -> Buffer using paging control queues up results ->
> > Returns
> > results to client in one stream ( ? )
> >
> > If paging is requested, then the server side buffer is not used?
> > Would
> > this consume a lot of memory space for the server with a large
amount
> > of
> > searches to hold the results before returning to the client?
> >
> > I obviously don't know as much as I would like about how the control
> > extension works, but I am curious.
> >
> > Thanks,
> > Jef
> >
> >
> >
> >
> >
> > From: Dmitri Gavrilov<mailto:dmitrig@microsoft.com>
> > Sent: Tuesday, April 15, 2008 11:07 AM
> > To:
ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> > We would still respect paging requests, and continue working as
> > previously.
> >
> > The only difference is that we will now *support* setting
MaxPageSize
> > to
> > large values. Today, you cannot get more than 1000 entries in a
> single
> > search query. If we make this change, then you will be.
> >
> > In a sense, this functionality is supported today in ADSI. ADSI/S.DS
> > hides
> > paging from you. IIRC, you can set the pageSize parameter, but you
> > still get
> > the result as one continuous stream of entries. ADSI queries the
> server
> > for
> > you and fetches the next page when you run out of entries. My
> proposal
> > to
> > enable similar functionality on the server.
> >
> > But we will, of course, continue supporting client-initiated paged
> > searches,
> > just like we do today.
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef Kazimer
> > Sent: Tuesday, April 15, 2008 8:58 AM
> > To: activedir@mail.activedir.org
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> > Dmitri,
> >
> > This sounds like it would kill any chance of a client who wants to
do
> > paging,no? what would happen if a client specified a page size on
> it's
> > own?
> >
> > It would still send a large result set to the client which could
> > negatively
> > affect the client as well.
> >
> >
> >
> > Jef Kazimer
> > -------
> > http://jeftek.com
> > ________________________________
> > From: dmitrig@microsoft.com
> > To: ActiveDir@mail.activedir.org
> > Date: Tue, 15 Apr 2008 08:47:04 -0700
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> > Well, basically the proposal is what I briefly described below...
> >
> > We would build a paging mechanism in LDAP head on the server. Then,
> we
> > would
> > support setting MaxPageSize policy to ridiculously large
(practically
> > unlimited) values, and instead do paging at the server side (using
> some
> > internally configured "server" page size). Each page would be
> computed
> > in a
> > separate transaction, but then all results would be packaged and
sent
> > to the
> > client as a single response. Then the practical limit would be the
> max
> > packet size (10Mb by default).
> >
> > What this achieves:
> > * Downlevel apps that don't support paging can continue
> > working.
> > * Server is not getting killed by long-running transactions.
> >
> > The downside:
> > * Paging is now hidden from the app, but we are still
paging.
> > This
> > means all the bad transactional properties of paging are now sort of
> > hidden
> > from the app: entries might be missed or reported multiple times (in
> > case
> > they are moved or modified between page requests). There's nothing
> new
> > here - you can get this today, when paging. But now, we hide it at
> > server
> > side, which makes it less apparent to apps.
> >
> > I'll be at PG dinner today, we can chat about it.
> >
> > Dmitri
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef Kazimer
> > Sent: Tuesday, April 15, 2008 8:29 AM
> > To: activedir@mail.activedir.org
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> > Dmitri,
> >
> > Can you point me in the direction of what this proposal is? Can
you
> > provide a summary for all those here?
> >
> > When you say "hidden", how do you mean?
> >
> > Jef
> >
> > Jef Kazimer
> > -------
> > http://jeftek.com
> > ________________________________
> > From: dmitrig@microsoft.com
> > To: ActiveDir@mail.activedir.org
> > Date: Tue, 15 Apr 2008 08:15:57 -0700
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> > This serves as a very appropriate and timely reminder for my earlier
> > post:
> >
> > Those of you that are coming to MVP summit: I implore you to push AD
> > team to
> > finally fix this one. There was a good proposal on the table... If
> they
> > do
> > it, then the paging can be hidden at the server side (basically, AD
> > devs do
> > it once, instead of pushing app devs to do it many times in their
> > apps).
> > Those of you with strong influence on MSFT (meaning you are wielding
> > large
> > customers), you can do this too. Then this age-long question will be
> > finally
> > put to rest.
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David
Cliffe
> > Sent: Tuesday, April 15, 2008 8:06 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> > Nothing new here. My client has one application which cannot
utilize
> > paging, so we dedicated a DC for it and defined a custom query
policy
> > which
> > applies only to that DC. Also it is configured not to register any
> SRV
> > records [except for GUID ldap name and CNAME (replication with other
> > DCs)],
> > and runs no other apps/services, so I've tried to limit its client
> > facing
> > activity as much as possible. They were willing to dedicate the h/w
> > and
> > understand the implications, which was good enough for me. I don't
> > miss a
> > chance to tell them how bad it is and how easy would be to overcome
> the
> > risk - they usually come back with "it won't be for that much
> longer".
> > It's
> > been 7 years now LOL (the good news is it honestly has not
caused
> a
> > problem on that DC to date).
> >
> > -DaveC
> >
> > ________________________________
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef Kazimer
> > Sent: Tuesday, April 15, 2008 10:39 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Changing MaxPageSize
> > Hi All,
> >
> > yesterday I had stumbled upon a blog post suggesting to resolve the
> > 1,000
> > result limit when querying AD, one should increase the MaxPageSize
> > value.
> > I personally think this is a bad idea, but in response, they asked
> how
> > one
> > can achieve the results without changing maxPageSize.
> >
> > So I wrote up what I thought could be done here:
> >
http://jeftek.com/iam/activedirectory/avoid-changing-the-maxpagesize-
> > ldap-query-policy/
> >
> > Essentially the only ways I could think of would be to utilize the
> > Paging
> > LDAP control, but if the application doesn't support that, I also
> > suggested
> > creating tighter, more exacting queries. If you have to change
> > maxPageSize
> > (and all the issues that go with it), do so on an isolated DC
> > specifically
> > for the application if it was that critical.
> >
> > Are there any other ways people have used to achieve this when the
> > application is incapable of paging, and they won't budge?
> >
> > Thanks,
> >
> > Jef
> >
> > This email was sent to you by Reuters, the global news and
> information
> > company.
> > To find out more about Reuters visit www.about.reuters.com
> > Any views expressed in this message are those of the individual
> sender,
> > except where the sender specifically states them to be the views of
> > Reuters
> > Limited.
> > Reuters Limited is part of the Reuters Group of companies, of which
> > Reuters
> > Group PLC is the ultimate parent company. Reuters Group PLC -
> > Registered
> > office address: The Reuters Building, South Colonnade, Canary Wharf,
> > London
> > E14 5EP, United Kingdom
> > Registered No: 3296375
> > Registered in England and Wales
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
This message is confidential, so please treat it appropriately and for its intended purpose only. In particular, if it refers to any technical data, terms or prices not generally available or known, such items are "commercially sensitive information" within the terms of the Freedom of Information Act 2000 and related laws. As it would be prejudicial to RM's commercial interests if these were disclosed, please refrain from doing so.
As Internet communications are not secure, please be aware that RM cannot accept responsibility for its contents. Any views or opinions presented are those of the author only and not of RM. If you are not the intended recipient of this e-mail, please accept our apologies and arrange for copies of it to be deleted. For your information, RM may intercept incoming and outgoing email communications.
RM Education plc
Registered Office: New Mill House, 183 Milton Park, Abingdon, Oxfordshire, OX14 4SE, England
Registered Number: 1148594
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| dwells
Posts:39
| | 04/18/2008 11:34 AM |
| Out of interest -- which Query Policy Object did you change? Are you trying
to alter the behavior across all DCs, just the one or something in between?
--
Dean Wells
MSEtechnology
t Email: dwells@msetechnology.com
http://msetechnology.com
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Friday, April 18, 2008 6:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing MaxPageSize
The change will be picked up immediately, without reboot.
However, this policy is only enforced at *connect* time. I.e. if you have
existing connections that violate the policy, they will not be kicked out.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Shaun Little
Sent: Friday, April 18, 2008 5:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing MaxPageSize
I have a quick question, I have just made a change to the maxconnections
attribute in the queryPolicy class using LDP.
Will the change take effect after a set period of time or is a reboot of
the server required?
Thanks
Shaun
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Arkills
Sent: 17 April 2008 17:48
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing MaxPageSize
OK, but that doesn't change my objection to it. The net effect of your
proposed solution is to remove any server-imposed size limit.
Effectively this is the same as option #2 in your list, except you now
have an unlimited maxpagesize.
Stepping back a bit, let me say a few things about how other LDAP
directories handle this, and maybe this will inspire what I'd think
would be better solutions. First, a review of how AD handles size
limits, then an example of another LDAP directory.
So AD has many limits which together weave together into the overall
picture. There's a server-side limit (called MaxPageSize), which by
default is 1000. There's a second server-side limit which you might
think about as an absolute maximum server-side limit (called
MaxResultSetSize), which by default is 262144. I see that this latter
limit hasn't been noted yet in the thread. There's also the possibility
of a client side size limit which all depends on what the client sets it
to be. AD imposes the lower of the client size limit or the server size
limit unless the paging control is invoked. If the paging control is
invoked, then it imposes the lower of the client size limit or the
absolute maximum server-side limit but it pages the results back to the
client. In other words, AD uses the paging control as a way for clients
to get around a soft limit. But it still has a hard upper limit. As a
side note, as far as I know AD is unique in this regard among LDAP
directories; no other LDAP directories employ the paging control as a
way to "get around" a server size limit. One of the annoying things here
is that the term MaxPageSize is misleading--you don't have to be doing
any paging to be subject to that size limit.
Take openldap as another example. With OpenLDAP, there is a default
server size limit. I think it's 500, if I recall correctly. As with all
ldap clients there's also a client side size limit. Paging is not used
as a way to circumvent the limit. Instead, you can set a different size
limit on a per-user basis. So my authentication token might be given a
server size limit of 150000, but everyone else is subject to the default
of 500. Like AD, the net limit is the lower of the client side limit and
the server side limit. If you used paging, it would just break that
result set into smaller pieces, but it could not be used to circumvent
any of the limits. This approach is extremely similar to how other LDAP
directories handle size limits.
I'm not sure I understand why Microsoft designed their size limit
approach to be so different from every other LDAP directory on the
planet. However, I also don't see that your proposed solution to the
stated problem makes sense (it also doesn't address the
MaxResultSetSize). I'd think a more sensible solution would be to
propose that certain users could have a different size limit which
overrode the MaxPageSize and possibly the MaxResultSetSize. Such a
solution would be a minor change in architecture but I'd think it would
be doable. Currently the way the size limits are set is via a
queryPolicy object in the config partition. There's a default query
policy object, but you can create additional ones. You'd do so, with the
limits you'd want, but the missing pieces would be:
a) being able to associate that policy object with a user object (this
might require a schema change)
b) having the AD code honor this new behavior
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
> Sent: Tuesday, April 15, 2008 12:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Changing MaxPageSize
>
> If this proposal is implemented, then no changes are required to
client
> apps. They don't need to pass any new controls.
>
> Here's the scenario:
>
> You have an old ldap app that does not know how to page.
> Your domain grows, and the app stops working because it can only get
> 1000 users max.
>
> What do you do? Currently, you only have two options:
> 1. Try to fix the app.
> 2. Increase MaxPageSize.
>
> 1 is often impossible. 2 is generally frowned upon (e.g. in this
> thread). You are out of options!
>
> I am trying to propose a new option, that would allow to do paging at
> server, while presenting the search results to the client as a regular
> ldap search result.
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Brian Arkills
> Sent: Tuesday, April 15, 2008 11:58 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Changing MaxPageSize
>
> I'm somewhat new to this list, but very familiar with both AD and LDAP
> (see http://www.amazon.com/LDAP-Directories-Explained-Introduction-
>
Independent/dp/020178792X/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=120828514
> 0&sr=8-1).
>
> I don't understand the strategy of this proposal. Here's what I'm
> hearing:
>
> -Client has software which doesn't support the LDAP paging control
> that's been around for years and which is supported by lots of ldap-
> based software.
> -Instead of getting the software vendor to implement and support that
> well-supported LDAP paging control, there's an idea that the client
> would like Microsoft to implement a *new* LDAP control which
> circumvents the maxpagesize that the server enforces on all LDAP
search
> requests.
>
> **If the software vendor won't support the well-known LDAP paging
> control, how are you going to get them to support a brand-new LDAP
> paging control?**
>
> Put another way, all LDAP searches of AD are currently subject to the
> server-side maxpagesize limit (this is a common thing to do in LDAP
> directories). There are many good reasons for such a limit to be in
> place, so you have little to no chance of convincing Microsoft (or
many
> of us) that completely removing that limit is a good idea. So this
> means you need an LDAP control extension to allow certain requestors
to
> circumvent that limit. But if you have such a control, then anyone can
> call it which means you've lost the value of having a limit at all. So
> then your control needs some authorization logic built into it.
>
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Joe Kaplan
> > Sent: Tuesday, April 15, 2008 10:05 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Changing MaxPageSize
> >
> > I'll make sure this gets brought up during one of the chalk talks
> > unless I
> > happen to not be there, but if I can't, I'll ask someone else to
> bring
> > it
> > up.
> >
> > We did just discuss AD/LDS on Vista.
> >
> > Joe K.
> >
> > ----- Original Message -----
> > From: "Dmitri Gavrilov" <dmitrig@microsoft.com>
> > To: <ActiveDir@mail.activedir.org>
> > Sent: Tuesday, April 15, 2008 11:28 AM
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> >
> > Yes, something like this.
> > Yes, it will consume server memory, while the search is being run.
> But
> > there's nothing new here - you can already do this today, if you
> > request
> > lots of large objects. We have proper controls (max output packet
> size,
> > max
> > query duration, etc) to protect server.
> >
> > Yes, if client is paging, then we won't use this mechanism (double-
> > paging
> > looks scary to me). Client's page sizes would have to be under the
> > "server
> > maxPageSize" value.
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef Kazimer
> > Sent: Tuesday, April 15, 2008 9:17 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Changing MaxPageSize
> >
> > Dmitri,
> >
> > So it would be like an intermediary buffer between the client and
> > server,
> > but on the server itself?
> >
> > Client -> Server -> Buffer using paging control queues up results ->
> > Returns
> > results to client in one stream ( ? )
> >
> > If paging is requested, then the server side buffer is not used?
> > Would
> > this consume a lot of memory space for the server with a large
amount
> > of
> > searches to hold the results before returning to the client?
> >
> > I obviously don't know as much as I would like about how the control
> > extension works, but I am curious.
> >
> > Thanks,
> > Jef
> >
> >
> >
> >
> >
> > From: Dmitri Gavrilov<mailto:dmitrig@microsoft.com>
> > Sent: Tuesday, April 15, 2008 11:07 AM
> > To:
ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> > We would still respect paging requests, and continue working as
> > previously.
> >
> > The only difference is that we will now *support* setting
MaxPageSize
> > to
> > large values. Today, you cannot get more than 1000 entries in a
> single
> > search query. If we make this change, then you will be.
> >
> > In a sense, this functionality is supported today in ADSI. ADSI/S.DS
> > hides
> > paging from you. IIRC, you can set the pageSize parameter, but you
> > still get
> > the result as one continuous stream of entries. ADSI queries the
> server
> > for
> > you and fetches the next page when you run out of entries. My
> proposal
> > to
> > enable similar functionality on the server.
> >
> > But we will, of course, continue supporting client-initiated paged
> > searches,
> > just like we do today.
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef Kazimer
> > Sent: Tuesday, April 15, 2008 8:58 AM
> > To: activedir@mail.activedir.org
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> > Dmitri,
> >
> > This sounds like it would kill any chance of a client who wants to
do
> > paging,no? what would happen if a client specified a page size on
> it's
> > own?
> >
> > It would still send a large result set to the client which could
> > negatively
> > affect the client as well.
> >
> >
> >
> > Jef Kazimer
> > -------
> > http://jeftek.com
> > ________________________________
> > From: dmitrig@microsoft.com
> > To: ActiveDir@mail.activedir.org
> > Date: Tue, 15 Apr 2008 08:47:04 -0700
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> > Well, basically the proposal is what I briefly described below...
> >
> > We would build a paging mechanism in LDAP head on the server. Then,
> we
> > would
> > support setting MaxPageSize policy to ridiculously large
(practically
> > unlimited) values, and instead do paging at the server side (using
> some
> > internally configured "server" page size). Each page would be
> computed
> > in a
> > separate transaction, but then all results would be packaged and
sent
> > to the
> > client as a single response. Then the practical limit would be the
> max
> > packet size (10Mb by default).
> >
> > What this achieves:
> > * Downlevel apps that don't support paging can continue
> > working.
> > * Server is not getting killed by long-running transactions.
> >
> > The downside:
> > * Paging is now hidden from the app, but we are still
paging.
> > This
> > means all the bad transactional properties of paging are now sort of
> > hidden
> > from the app: entries might be missed or reported multiple times (in
> > case
> > they are moved or modified between page requests). There's nothing
> new
> > here - you can get this today, when paging. But now, we hide it at
> > server
> > side, which makes it less apparent to apps.
> >
> > I'll be at PG dinner today, we can chat about it.
> >
> > Dmitri
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef Kazimer
> > Sent: Tuesday, April 15, 2008 8:29 AM
> > To: activedir@mail.activedir.org
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> > Dmitri,
> >
> > Can you point me in the direction of what this proposal is? Can
you
> > provide a summary for all those here?
> >
> > When you say "hidden", how do you mean?
> >
> > Jef
> >
> > Jef Kazimer
> > -------
> > http://jeftek.com
> > ________________________________
> > From: dmitrig@microsoft.com
> > To: ActiveDir@mail.activedir.org
> > Date: Tue, 15 Apr 2008 08:15:57 -0700
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> > This serves as a very appropriate and timely reminder for my earlier
> > post:
> >
> > Those of you that are coming to MVP summit: I implore you to push AD
> > team to
> > finally fix this one. There was a good proposal on the table... If
> they
> > do
> > it, then the paging can be hidden at the server side (basically, AD
> > devs do
> > it once, instead of pushing app devs to do it many times in their
> > apps).
> > Those of you with strong influence on MSFT (meaning you are wielding
> > large
> > customers), you can do this too. Then this age-long question will be
> > finally
> > put to rest.
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David
Cliffe
> > Sent: Tuesday, April 15, 2008 8:06 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> > Nothing new here. My client has one application which cannot
utilize
> > paging, so we dedicated a DC for it and defined a custom query
policy
> > which
> > applies only to that DC. Also it is configured not to register any
> SRV
> > records [except for GUID ldap name and CNAME (replication with other
> > DCs)],
> > and runs no other apps/services, so I've tried to limit its client
> > facing
> > activity as much as possible. They were willing to dedicate the h/w
> > and
> > understand the implications, which was good enough for me. I don't
> > miss a
> > chance to tell them how bad it is and how easy would be to overcome
> the
> > risk - they usually come back with "it won't be for that much
> longer".
> > It's
> > been 7 years now LOL (the good news is it honestly has not
caused
> a
> > problem on that DC to date).
> >
> > -DaveC
> >
> > ________________________________
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef Kazimer
> > Sent: Tuesday, April 15, 2008 10:39 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Changing MaxPageSize
> > Hi All,
> >
> > yesterday I had stumbled upon a blog post suggesting to resolve the
> > 1,000
> > result limit when querying AD, one should increase the MaxPageSize
> > value.
> > I personally think this is a bad idea, but in response, they asked
> how
> > one
> > can achieve the results without changing maxPageSize.
> >
> > So I wrote up what I thought could be done here:
> >
http://jeftek.com/iam/activedirectory/avoid-changing-the-maxpagesize-
> > ldap-query-policy/
> >
> > Essentially the only ways I could think of would be to utilize the
> > Paging
> > LDAP control, but if the application doesn't support that, I also
> > suggested
> > creating tighter, more exacting queries. If you have to change
> > maxPageSize
> > (and all the issues that go with it), do so on an isolated DC
> > specifically
> > for the application if it was that critical.
> >
> > Are there any other ways people have used to achieve this when the
> > application is incapable of paging, and they won't budge?
> >
> > Thanks,
> >
> > Jef
> >
> > This email was sent to you by Reuters, the global news and
> information
> > company.
> > To find out more about Reuters visit www.about.reuters.com
> > Any views expressed in this message are those of the individual
> sender,
> > except where the sender specifically states them to be the views of
> > Reuters
> > Limited.
> > Reuters Limited is part of the Reuters Group of companies, of which
> > Reuters
> > Group PLC is the ultimate parent company. Reuters Group PLC -
> > Registered
> > office address: The Reuters Building, South Colonnade, Canary Wharf,
> > London
> > E14 5EP, United Kingdom
> > Registered No: 3296375
> > Registered in England and Wales
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
This message is confidential, so please treat it appropriately and for its
intended purpose only. In particular, if it refers to any technical data,
terms or prices not generally available or known, such items are
"commercially sensitive information" within the terms of the Freedom of
Information Act 2000 and related laws. As it would be prejudicial to RM's
commercial interests if these were disclosed, please refrain from doing so.
As Internet communications are not secure, please be aware that RM cannot
accept responsibility for its contents. Any views or opinions presented are
those of the author only and not of RM. If you are not the intended
recipient of this e-mail, please accept our apologies and arrange for copies
of it to be deleted. For your information, RM may intercept incoming and
outgoing email communications.
RM Education plc
Registered Office: New Mill House, 183 Milton Park, Abingdon, Oxfordshire,
OX14 4SE, England
Registered Number: 1148594
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| Shadow
Posts:6
| | 04/18/2008 12:30 PM |
| The value for maxconnections in the lDAPAdminLimits attribute, just for
one dc.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: 18 April 2008 16:33
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing MaxPageSize
Out of interest -- which Query Policy Object did you change? Are you
trying
to alter the behavior across all DCs, just the one or something in
between?
--
Dean Wells
MSEtechnology
t Email: dwells@msetechnology.com
http://msetechnology.com
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Friday, April 18, 2008 6:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing MaxPageSize
The change will be picked up immediately, without reboot.
However, this policy is only enforced at *connect* time. I.e. if you
have
existing connections that violate the policy, they will not be kicked
out.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Shaun Little
Sent: Friday, April 18, 2008 5:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing MaxPageSize
I have a quick question, I have just made a change to the maxconnections
attribute in the queryPolicy class using LDP.
Will the change take effect after a set period of time or is a reboot of
the server required?
Thanks
Shaun
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Arkills
Sent: 17 April 2008 17:48
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing MaxPageSize
OK, but that doesn't change my objection to it. The net effect of your
proposed solution is to remove any server-imposed size limit.
Effectively this is the same as option #2 in your list, except you now
have an unlimited maxpagesize.
Stepping back a bit, let me say a few things about how other LDAP
directories handle this, and maybe this will inspire what I'd think
would be better solutions. First, a review of how AD handles size
limits, then an example of another LDAP directory.
So AD has many limits which together weave together into the overall
picture. There's a server-side limit (called MaxPageSize), which by
default is 1000. There's a second server-side limit which you might
think about as an absolute maximum server-side limit (called
MaxResultSetSize), which by default is 262144. I see that this latter
limit hasn't been noted yet in the thread. There's also the possibility
of a client side size limit which all depends on what the client sets it
to be. AD imposes the lower of the client size limit or the server size
limit unless the paging control is invoked. If the paging control is
invoked, then it imposes the lower of the client size limit or the
absolute maximum server-side limit but it pages the results back to the
client. In other words, AD uses the paging control as a way for clients
to get around a soft limit. But it still has a hard upper limit. As a
side note, as far as I know AD is unique in this regard among LDAP
directories; no other LDAP directories employ the paging control as a
way to "get around" a server size limit. One of the annoying things here
is that the term MaxPageSize is misleading--you don't have to be doing
any paging to be subject to that size limit.
Take openldap as another example. With OpenLDAP, there is a default
server size limit. I think it's 500, if I recall correctly. As with all
ldap clients there's also a client side size limit. Paging is not used
as a way to circumvent the limit. Instead, you can set a different size
limit on a per-user basis. So my authentication token might be given a
server size limit of 150000, but everyone else is subject to the default
of 500. Like AD, the net limit is the lower of the client side limit and
the server side limit. If you used paging, it would just break that
result set into smaller pieces, but it could not be used to circumvent
any of the limits. This approach is extremely similar to how other LDAP
directories handle size limits.
I'm not sure I understand why Microsoft designed their size limit
approach to be so different from every other LDAP directory on the
planet. However, I also don't see that your proposed solution to the
stated problem makes sense (it also doesn't address the
MaxResultSetSize). I'd think a more sensible solution would be to
propose that certain users could have a different size limit which
overrode the MaxPageSize and possibly the MaxResultSetSize. Such a
solution would be a minor change in architecture but I'd think it would
be doable. Currently the way the size limits are set is via a
queryPolicy object in the config partition. There's a default query
policy object, but you can create additional ones. You'd do so, with the
limits you'd want, but the missing pieces would be:
a) being able to associate that policy object with a user object (this
might require a schema change)
b) having the AD code honor this new behavior
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
> Sent: Tuesday, April 15, 2008 12:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Changing MaxPageSize
>
> If this proposal is implemented, then no changes are required to
client
> apps. They don't need to pass any new controls.
>
> Here's the scenario:
>
> You have an old ldap app that does not know how to page.
> Your domain grows, and the app stops working because it can only get
> 1000 users max.
>
> What do you do? Currently, you only have two options:
> 1. Try to fix the app.
> 2. Increase MaxPageSize.
>
> 1 is often impossible. 2 is generally frowned upon (e.g. in this
> thread). You are out of options!
>
> I am trying to propose a new option, that would allow to do paging at
> server, while presenting the search results to the client as a regular
> ldap search result.
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Brian Arkills
> Sent: Tuesday, April 15, 2008 11:58 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Changing MaxPageSize
>
> I'm somewhat new to this list, but very familiar with both AD and LDAP
> (see http://www.amazon.com/LDAP-Directories-Explained-Introduction-
>
Independent/dp/020178792X/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=120828514
> 0&sr=8-1).
>
> I don't understand the strategy of this proposal. Here's what I'm
> hearing:
>
> -Client has software which doesn't support the LDAP paging control
> that's been around for years and which is supported by lots of ldap-
> based software.
> -Instead of getting the software vendor to implement and support that
> well-supported LDAP paging control, there's an idea that the client
> would like Microsoft to implement a *new* LDAP control which
> circumvents the maxpagesize that the server enforces on all LDAP
search
> requests.
>
> **If the software vendor won't support the well-known LDAP paging
> control, how are you going to get them to support a brand-new LDAP
> paging control?**
>
> Put another way, all LDAP searches of AD are currently subject to the
> server-side maxpagesize limit (this is a common thing to do in LDAP
> directories). There are many good reasons for such a limit to be in
> place, so you have little to no chance of convincing Microsoft (or
many
> of us) that completely removing that limit is a good idea. So this
> means you need an LDAP control extension to allow certain requestors
to
> circumvent that limit. But if you have such a control, then anyone can
> call it which means you've lost the value of having a limit at all. So
> then your control needs some authorization logic built into it.
>
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Joe Kaplan
> > Sent: Tuesday, April 15, 2008 10:05 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Changing MaxPageSize
> >
> > I'll make sure this gets brought up during one of the chalk talks
> > unless I
> > happen to not be there, but if I can't, I'll ask someone else to
> bring
> > it
> > up.
> >
> > We did just discuss AD/LDS on Vista.
> >
> > Joe K.
> >
> > ----- Original Message -----
> > From: "Dmitri Gavrilov" <dmitrig@microsoft.com>
> > To: <ActiveDir@mail.activedir.org>
> > Sent: Tuesday, April 15, 2008 11:28 AM
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> >
> > Yes, something like this.
> > Yes, it will consume server memory, while the search is being run.
> But
> > there's nothing new here - you can already do this today, if you
> > request
> > lots of large objects. We have proper controls (max output packet
> size,
> > max
> > query duration, etc) to protect server.
> >
> > Yes, if client is paging, then we won't use this mechanism (double-
> > paging
> > looks scary to me). Client's page sizes would have to be under the
> > "server
> > maxPageSize" value.
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef Kazimer
> > Sent: Tuesday, April 15, 2008 9:17 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Changing MaxPageSize
> >
> > Dmitri,
> >
> > So it would be like an intermediary buffer between the client and
> > server,
> > but on the server itself?
> >
> > Client -> Server -> Buffer using paging control queues up results ->
> > Returns
> > results to client in one stream ( ? )
> >
> > If paging is requested, then the server side buffer is not used?
> > Would
> > this consume a lot of memory space for the server with a large
amount
> > of
> > searches to hold the results before returning to the client?
> >
> > I obviously don't know as much as I would like about how the control
> > extension works, but I am curious.
> >
> > Thanks,
> > Jef
> >
> >
> >
> >
> >
> > From: Dmitri Gavrilov<mailto:dmitrig@microsoft.com>
> > Sent: Tuesday, April 15, 2008 11:07 AM
> > To:
ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> > We would still respect paging requests, and continue working as
> > previously.
> >
> > The only difference is that we will now *support* setting
MaxPageSize
> > to
> > large values. Today, you cannot get more than 1000 entries in a
> single
> > search query. If we make this change, then you will be.
> >
> > In a sense, this functionality is supported today in ADSI. ADSI/S.DS
> > hides
> > paging from you. IIRC, you can set the pageSize parameter, but you
> > still get
> > the result as one continuous stream of entries. ADSI queries the
> server
> > for
> > you and fetches the next page when you run out of entries. My
> proposal
> > to
> > enable similar functionality on the server.
> >
> > But we will, of course, continue supporting client-initiated paged
> > searches,
> > just like we do today.
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef Kazimer
> > Sent: Tuesday, April 15, 2008 8:58 AM
> > To: activedir@mail.activedir.org
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> > Dmitri,
> >
> > This sounds like it would kill any chance of a client who wants to
do
> > paging,no? what would happen if a client specified a page size on
> it's
> > own?
> >
> > It would still send a large result set to the client which could
> > negatively
> > affect the client as well.
> >
> >
> >
> > Jef Kazimer
> > -------
> > http://jeftek.com
> > ________________________________
> > From: dmitrig@microsoft.com
> > To: ActiveDir@mail.activedir.org
> > Date: Tue, 15 Apr 2008 08:47:04 -0700
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> > Well, basically the proposal is what I briefly described below...
> >
> > We would build a paging mechanism in LDAP head on the server. Then,
> we
> > would
> > support setting MaxPageSize policy to ridiculously large
(practically
> > unlimited) values, and instead do paging at the server side (using
> some
> > internally configured "server" page size). Each page would be
> computed
> > in a
> > separate transaction, but then all results would be packaged and
sent
> > to the
> > client as a single response. Then the practical limit would be the
> max
> > packet size (10Mb by default).
> >
> > What this achieves:
> > * Downlevel apps that don't support paging can continue
> > working.
> > * Server is not getting killed by long-running transactions.
> >
> > The downside:
> > * Paging is now hidden from the app, but we are still
paging.
> > This
> > means all the bad transactional properties of paging are now sort of
> > hidden
> > from the app: entries might be missed or reported multiple times (in
> > case
> > they are moved or modified between page requests). There's nothing
> new
> > here - you can get this today, when paging. But now, we hide it at
> > server
> > side, which makes it less apparent to apps.
> >
> > I'll be at PG dinner today, we can chat about it.
> >
> > Dmitri
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef Kazimer
> > Sent: Tuesday, April 15, 2008 8:29 AM
> > To: activedir@mail.activedir.org
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> > Dmitri,
> >
> > Can you point me in the direction of what this proposal is? Can
you
> > provide a summary for all those here?
> >
> > When you say "hidden", how do you mean?
> >
> > Jef
> >
> > Jef Kazimer
> > -------
> > http://jeftek.com
> > ________________________________
> > From: dmitrig@microsoft.com
> > To: ActiveDir@mail.activedir.org
> > Date: Tue, 15 Apr 2008 08:15:57 -0700
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> > This serves as a very appropriate and timely reminder for my earlier
> > post:
> >
> > Those of you that are coming to MVP summit: I implore you to push AD
> > team to
> > finally fix this one. There was a good proposal on the table... If
> they
> > do
> > it, then the paging can be hidden at the server side (basically, AD
> > devs do
> > it once, instead of pushing app devs to do it many times in their
> > apps).
> > Those of you with strong influence on MSFT (meaning you are wielding
> > large
> > customers), you can do this too. Then this age-long question will be
> > finally
> > put to rest.
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David
Cliffe
> > Sent: Tuesday, April 15, 2008 8:06 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> > Nothing new here. My client has one application which cannot
utilize
> > paging, so we dedicated a DC for it and defined a custom query
policy
> > which
> > applies only to that DC. Also it is configured not to register any
> SRV
> > records [except for GUID ldap name and CNAME (replication with other
> > DCs)],
> > and runs no other apps/services, so I've tried to limit its client
> > facing
> > activity as much as possible. They were willing to dedicate the h/w
> > and
> > understand the implications, which was good enough for me. I don't
> > miss a
> > chance to tell them how bad it is and how easy would be to overcome
> the
> > risk - they usually come back with "it won't be for that much
> longer".
> > It's
> > been 7 years now LOL (the good news is it honestly has not
caused
> a
> > problem on that DC to date).
> >
> > -DaveC
> >
> > ________________________________
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef Kazimer
> > Sent: Tuesday, April 15, 2008 10:39 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Changing MaxPageSize
> > Hi All,
> >
> > yesterday I had stumbled upon a blog post suggesting to resolve the
> > 1,000
> > result limit when querying AD, one should increase the MaxPageSize
> > value.
> > I personally think this is a bad idea, but in response, they asked
> how
> > one
> > can achieve the results without changing maxPageSize.
> >
> > So I wrote up what I thought could be done here:
> >
http://jeftek.com/iam/activedirectory/avoid-changing-the-maxpagesize-
> > ldap-query-policy/
> >
> > Essentially the only ways I could think of would be to utilize the
> > Paging
> > LDAP control, but if the application doesn't support that, I also
> > suggested
> > creating tighter, more exacting queries. If you have to change
> > maxPageSize
> > (and all the issues that go with it), do so on an isolated DC
> > specifically
> > for the application if it was that critical.
> >
> > Are there any other ways people have used to achieve this when the
> > application is incapable of paging, and they won't budge?
> >
> > Thanks,
> >
> > Jef
> >
> > This email was sent to you by Reuters, the global news and
> information
> > company.
> > To find out more about Reuters visit www.about.reuters.com
> > Any views expressed in this message are those of the individual
> sender,
> > except where the sender specifically states them to be the views of
> > Reuters
> > Limited.
> > Reuters Limited is part of the Reuters Group of companies, of which
> > Reuters
> > Group PLC is the ultimate parent company. Reuters Group PLC -
> > Registered
> > office address: The Reuters Building, South Colonnade, Canary Wharf,
> > London
> > E14 5EP, United Kingdom
> > Registered No: 3296375
> > Registered in England and Wales
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
This message is confidential, so please treat it appropriately and for
its
intended purpose only. In particular, if it refers to any technical
data,
terms or prices not generally available or known, such items are
"commercially sensitive information" within the terms of the Freedom of
Information Act 2000 and related laws. As it would be prejudicial to
RM's
commercial interests if these were disclosed, please refrain from doing
so.
As Internet communications are not secure, please be aware that RM
cannot
accept responsibility for its contents. Any views or opinions presented
are
those of the author only and not of RM. If you are not the intended
recipient of this e-mail, please accept our apologies and arrange for
copies
of it to be deleted. For your information, RM may intercept incoming
and
outgoing email communications.
RM Education plc
Registered Office: New Mill House, 183 Milton Park, Abingdon,
Oxfordshire,
OX14 4SE, England
Registered Number: 1148594
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| efleis
Posts:15
| | 04/21/2008 12:05 PM |
| To comment on this question:
> I also don't understand how Dmitri's proposal differs from setting the MaxPageSize equal
> to the MaxResultSetSize, aside from the fact that he's stated that folks could request
> paging and have the default MaxPageSize limit
The difference is in the server compute resource consumption. Today, cranking up MaxPageSize does the full expansion in a single DB transaction. Dmitri's proposal does it in many. This is cheaper for the server, but as you noted, it is not free.
To be clear, it will, as you noted, still have a significant cost on the server. The goal of this would not be to make these apps efficient. Rather, if you wanted to do that, have them page. Rather, it is go give admins that want it a crutch.
The value is limited, but non-zero, depending upon the scenario.
BTW, I'd note that offering any of these features per user has the same server resource consumption issues.
~Eric
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Thursday, April 17, 2008 10:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing MaxPageSize
I see you described another possible use of MaxPageSize policy -- you are protecting non-paging applications from too much data being sent to them by the server. I would argue such applications are very broken already anyway. What use is an application that requests the full list of users (objectClass=user), but displays only the first 1000 and thinks it's done?
Currently, you cannot set MaxPageSize = MaxResultSize. This will kill your DC.
FWIW, I am not proposing to ignore the existing MaxPageSize policy. For app compat reasons, we will have to continue enforcing it. My proposal enables admin to raise it to larger values, if he needs to do this, without being frowned upon. I agree that your suggestion about having per-user policies helps to limit the app compat consequences of such action. It is certainly a nice to have.
I guess we are looking at the issue from opposite sides. You are saying that if MaxPageSize is raised too much, then apps can suffer, so you propose per-user policies. Ok, fair (even though I'd argue such apps deserve to be broken).
I am saying that if MaxPageSize is raised too much, then the server will suffer, so I am proposing a way to get around this. It is also needed.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Arkills
Sent: Thursday, April 17, 2008 8:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing MaxPageSize
Yes, depending on the scenario, per-user LDAP policies and server-side single response set (what I'd call dmitri's proposal) are not necessarily solutions to the same problem, which was stated as size limit circumvention for non-paging applications. My point was to get some ideas moving that didn't expose AD to increased operational risk as I believe the server-side single response set solution would.
Let me briefly spell out that operational risk so that we are all on the same page. So let's say that Microsoft implements Dmitri's proposal. Since he's said that it's not a ldap control, that means it's on all the time, and the default behavior would be that all search requests are returned without that limit, i.e. if I target the root of a partition/naming context and ask for (objectclass=*), I'd get every directory entry for that partition/naming context in the result set (assuming it didn't go over the MaxResultSetSize which has not been addressed by Dmitri's proposal). For many small AD implementations, this would not be much of an impact. These shops have very few directory objects, so such a change doesn't really mean much. For larger AD implementations, there would be a serious impact. Many clients could request large result sets and the server would be tied up sending those result sets out. If a large request came from someone with a low-bandwidth connection, AD could spend a very long time trying to send that result set to that client. As someone with a moderately sized AD (~330000 users), I don't like that scenario. We all know that the large corporations have a lot of sway in which direction Microsoft goes on features, and they'd have similar objections. So I just don't see the solution I've heard as practical or likely to fly.
I also don't understand how Dmitri's proposal differs from setting the MaxPageSize equal to the MaxResultSetSize, aside from the fact that he's stated that folks could request paging and have the default MaxPageSize limit. Of course, any LDAP client can assert a client-side paging size limit in addition to a client-side result set size limit, so that choice is already available without any server-side implementation (in other words, all the options are available with the existing technology). Setting the MaxPageSize = MaxResultSetSize doesn't require code changes, and allows those of us who have good reasons to have limits to keep them. I see that earlier in the thread Dmitri claims that increasing the MaxPageSize is "generally frowned upon", but that seems more like a function of people not being comfortable with how the technology works then it not being a valid solution to the problem.
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Eric Fleischman
> Sent: Thursday, April 17, 2008 10:20 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Changing MaxPageSize
>
> A couple of comments. I assume Dmitri will probably want to add more as
> well.
>
> Naturally there are some scenarios where per-user LDAP policies make
> sense. We have talked about it in the past, and I still think there is
> some value here. In this you are correct.
>
> That said, from an ISV perspective, I have some concerns with this
> direction. I don't exactly know how an ISV can assume how the directory
> looks / feels / behaves when it behaves differently depending upon the
> context under which the app is running. I kind of feel like the end
> game would be that each ISV would end up saying, create a user for my
> app, create a policy for that user, and here's what the settings must
> be. The onus would then be on the administrator to manage this massive
> set of policies for each user, ensure no app asks for anything
> ridiculous, and so on.
> What happens if the app does impersonation? What do you do then, if app
> Foo runs as Brian and assumes a MaxPageSize of N but you only want to
> give Brian a MaxPageSize of N/100?
> How do other vendors handle this ISV situation? AD is somewhat unique
> in that the # of AD integrated apps is *so* much larger, and the things
> happening on top (like impersonation) are *so* much more common (in
> part because of the ease of deployment), so maybe this is a unique
> problem we have. I'd love your thoughts on this point.
> BTW, there is a fantastic counterargument that you could present, which
> is "well Eric, if you feel for the app vendors why make these knobs
> configurable at all?" That's a fair question. My response would be,
> almost no one ever turns them, so while they are turn-able it almost
> doesn't matter. And those that do are firmly in the know and are
> signing up for the consequences. It is a hokey argument, I will
> admit.
>
> I would also point out that I think Dmitri's proposal and the per-user
> stuff are orthogonal, if I understand this argument correctly. Dmitri's
> proposal is a way in which we achieve page-less large search. Your
> proposal is a way in which we govern what a user should be able to
> query for in different directions (per page, per logical operation, and
> so on). They seem to be solutions to different problems to me. They
> seem to be complimentary. You probably want both, not one or the other.
>
> My $0.03 (inflation)
> ~Eric
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Brian Arkills
> Sent: Thursday, April 17, 2008 9:48 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Changing MaxPageSize
>
> OK, but that doesn't change my objection to it. The net effect of your
> proposed solution is to remove any server-imposed size limit.
> Effectively this is the same as option #2 in your list, except you now
> have an unlimited maxpagesize.
>
> Stepping back a bit, let me say a few things about how other LDAP
> directories handle this, and maybe this will inspire what I'd think
> would be better solutions. First, a review of how AD handles size
> limits, then an example of another LDAP directory.
>
> So AD has many limits which together weave together into the overall
> picture. There's a server-side limit (called MaxPageSize), which by
> default is 1000. There's a second server-side limit which you might
> think about as an absolute maximum server-side limit (called
> MaxResultSetSize), which by default is 262144. I see that this latter
> limit hasn't been noted yet in the thread. There's also the possibility
> of a client side size limit which all depends on what the client sets
> it to be. AD imposes the lower of the client size limit or the server
> size limit unless the paging control is invoked. If the paging control
> is invoked, then it imposes the lower of the client size limit or the
> absolute maximum server-side limit but it pages the results back to the
> client. In other words, AD uses the paging control as a way for clients
> to get around a soft limit. But it still has a hard upper limit. As a
> side note, as far as I know AD is unique in this regard among LDAP
> directories; no other LDAP directories employ the paging control as a
> way to "get around" a server size limit. One of the annoying things
> here is that the term MaxPageSize is misleading--you don't have to be
> doing any paging to be subject to that size limit.
>
> Take openldap as another example. With OpenLDAP, there is a default
> server size limit. I think it's 500, if I recall correctly. As with all
> ldap clients there's also a client side size limit. Paging is not used
> as a way to circumvent the limit. Instead, you can set a different size
> limit on a per-user basis. So my authentication token might be given a
> server size limit of 150000, but everyone else is subject to the
> default of 500. Like AD, the net limit is the lower of the client side
> limit and the server side limit. If you used paging, it would just
> break that result set into smaller pieces, but it could not be used to
> circumvent any of the limits. This approach is extremely similar to how
> other LDAP directories handle size limits.
>
> I'm not sure I understand why Microsoft designed their size limit
> approach to be so different from every other LDAP directory on the
> planet. However, I also don't see that your proposed solution to the
> stated problem makes sense (it also doesn't address the
> MaxResultSetSize). I'd think a more sensible solution would be to
> propose that certain users could have a different size limit which
> overrode the MaxPageSize and possibly the MaxResultSetSize. Such a
> solution would be a minor change in architecture but I'd think it would
> be doable. Currently the way the size limits are set is via a
> queryPolicy object in the config partition. There's a default query
> policy object, but you can create additional ones. You'd do so, with
> the limits you'd want, but the missing pieces would be:
>
> a) being able to associate that policy object with a user object (this
> might require a schema change)
> b) having the AD code honor this new behavior
>
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
> > Sent: Tuesday, April 15, 2008 12:25 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> > If this proposal is implemented, then no changes are required to
> client
> > apps. They don't need to pass any new controls.
> >
> > Here's the scenario:
> >
> > You have an old ldap app that does not know how to page.
> > Your domain grows, and the app stops working because it can only get
> > 1000 users max.
> >
> > What do you do? Currently, you only have two options:
> > 1. Try to fix the app.
> > 2. Increase MaxPageSize.
> >
> > 1 is often impossible. 2 is generally frowned upon (e.g. in this
> > thread). You are out of options!
> >
> > I am trying to propose a new option, that would allow to do paging at
> > server, while presenting the search results to the client as a
> regular
> > ldap search result.
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Brian Arkills
> > Sent: Tuesday, April 15, 2008 11:58 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Changing MaxPageSize
> >
> > I'm somewhat new to this list, but very familiar with both AD and
> LDAP
> > (see http://www.amazon.com/LDAP-Directories-Explained-Introduction-
> >
> Independent/dp/020178792X/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=120828514
> > 0&sr=8-1).
> >
> > I don't understand the strategy of this proposal. Here's what I'm
> > hearing:
> >
> > -Client has software which doesn't support the LDAP paging control
> > that's been around for years and which is supported by lots of ldap-
> > based software.
> > -Instead of getting the software vendor to implement and support that
> > well-supported LDAP paging control, there's an idea that the client
> > would like Microsoft to implement a *new* LDAP control which
> > circumvents the maxpagesize that the server enforces on all LDAP
> search
> > requests.
> >
> > **If the software vendor won't support the well-known LDAP paging
> > control, how are you going to get them to support a brand-new LDAP
> > paging control?**
> >
> > Put another way, all LDAP searches of AD are currently subject to the
> > server-side maxpagesize limit (this is a common thing to do in LDAP
> > directories). There are many good reasons for such a limit to be in
> > place, so you have little to no chance of convincing Microsoft (or
> many
> > of us) that completely removing that limit is a good idea. So this
> > means you need an LDAP control extension to allow certain requestors
> to
> > circumvent that limit. But if you have such a control, then anyone
> can
> > call it which means you've lost the value of having a limit at all.
> So
> > then your control needs some authorization logic built into it.
> >
> > > -----Original Message-----
> > > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > > owner@mail.activedir.org] On Behalf Of Joe Kaplan
> > > Sent: Tuesday, April 15, 2008 10:05 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] Changing MaxPageSize
> > >
> > > I'll make sure this gets brought up during one of the chalk talks
> > > unless I
> > > happen to not be there, but if I can't, I'll ask someone else to
> > bring
> > > it
> > > up.
> > >
> > > We did just discuss AD/LDS on Vista.
> > >
> > > Joe K.
> > >
> > > ----- Original Message -----
> > > From: "Dmitri Gavrilov" <dmitrig@microsoft.com>
> > > To: <ActiveDir@mail.activedir.org>
> > > Sent: Tuesday, April 15, 2008 11:28 AM
> > > Subject: RE: [ActiveDir] Changing MaxPageSize
> > >
> > >
> > > Yes, something like this.
> > > Yes, it will consume server memory, while the search is being run.
> > But
> > > there's nothing new here - you can already do this today, if you
> > > request
> > > lots of large objects. We have proper controls (max output packet
> > size,
> > > max
> > > query duration, etc) to protect server.
> > >
> > > Yes, if client is paging, then we won't use this mechanism (double-
> > > paging
> > > looks scary to me). Client's page sizes would have to be under the
> > > "server
> > > maxPageSize" value.
> > >
> > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef
> Kazimer
> > > Sent: Tuesday, April 15, 2008 9:17 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] Changing MaxPageSize
> > >
> > > Dmitri,
> > >
> > > So it would be like an intermediary buffer between the client and
> > > server,
> > > but on the server itself?
> > >
> > > Client -> Server -> Buffer using paging control queues up results -
> >
> > > Returns
> > > results to client in one stream ( ? )
> > >
> > > If paging is requested, then the server side buffer is not used?
> > > Would
> > > this consume a lot of memory space for the server with a large
> amount
> > > of
> > > searches to hold the results before returning to the client?
> > >
> > > I obviously don't know as much as I would like about how the
> control
> > > extension works, but I am curious.
> > >
> > > Thanks,
> > > Jef
> > >
> > >
> > >
> > >
> > >
> > > From: Dmitri Gavrilov<mailto:dmitrig@microsoft.com>
> > > Sent: Tuesday, April 15, 2008 11:07 AM
> > > To:
> ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
> > > Subject: RE: [ActiveDir] Changing MaxPageSize
> > >
> > > We would still respect paging requests, and continue working as
> > > previously.
> > >
> > > The only difference is that we will now *support* setting
> MaxPageSize
> > > to
> > > large values. Today, you cannot get more than 1000 entries in a
> > single
> > > search query. If we make this change, then you will be.
> > >
> > > In a sense, this functionality is supported today in ADSI.
> ADSI/S.DS
> > > hides
> > > paging from you. IIRC, you can set the pageSize parameter, but you
> > > still get
> > > the result as one continuous stream of entries. ADSI queries the
> > server
> > > for
> > > you and fetches the next page when you run out of entries. My
> > proposal
> > > to
> > > enable similar functionality on the server.
> > >
> > > But we will, of course, continue supporting client-initiated paged
> > > searches,
> > > just like we do today.
> > >
> > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef
> Kazimer
> > > Sent: Tuesday, April 15, 2008 8:58 AM
> > > To: activedir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Changing MaxPageSize
> > >
> > > Dmitri,
> > >
> > > This sounds like it would kill any chance of a client who wants to
> do
> > > paging,no? what would happen if a client specified a page size on
> > it's
> > > own?
> > >
> > > It would still send a large result set to the client which could
> > > negatively
> > > affect the client as well.
> > >
> > >
> > >
> > > Jef Kazimer
> > > -------
> > > http://jeftek.com
> > > ________________________________
> > > From: dmitrig@microsoft.com
> > > To: ActiveDir@mail.activedir.org
> > > Date: Tue, 15 Apr 2008 08:47:04 -0700
> > > Subject: RE: [ActiveDir] Changing MaxPageSize
> > > Well, basically the proposal is what I briefly described below...
> > >
> > > We would build a paging mechanism in LDAP head on the server. Then,
> > we
> > > would
> > > support setting MaxPageSize policy to ridiculously large
> (practically
> > > unlimited) values, and instead do paging at the server side (using
> > some
> > > internally configured "server" page size). Each page would be
> > computed
> > > in a
> > > separate transaction, but then all results would be packaged and
> sent
> > > to the
> > > client as a single response. Then the practical limit would be the
> > max
> > > packet size (10Mb by default).
> > >
> > > What this achieves:
> > > * Downlevel apps that don't support paging can continue
> > > working.
> > > * Server is not getting killed by long-running
> transactions.
> > >
> > > The downside:
> > > * Paging is now hidden from the app, but we are still
> paging.
> > > This
> > > means all the bad transactional properties of paging are now sort
> of
> > > hidden
> > > from the app: entries might be missed or reported multiple times
> (in
> > > case
> > > they are moved or modified between page requests). There's nothing
> > new
> > > here - you can get this today, when paging. But now, we hide it at
> > > server
> > > side, which makes it less apparent to apps.
> > >
> > > I'll be at PG dinner today, we can chat about it.
> > >
> > > Dmitri
> > >
> > >
> > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef
> Kazimer
> > > Sent: Tuesday, April 15, 2008 8:29 AM
> > > To: activedir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Changing MaxPageSize
> > >
> > > Dmitri,
> > >
> > > Can you point me in the direction of what this proposal is? Can
> you
> > > provide a summary for all those here?
> > >
> > > When you say "hidden", how do you mean?
> > >
> > > Jef
> > >
> > > Jef Kazimer
> > > -------
> > > http://jeftek.com
> > > ________________________________
> > > From: dmitrig@microsoft.com
> > > To: ActiveDir@mail.activedir.org
> > > Date: Tue, 15 Apr 2008 08:15:57 -0700
> > > Subject: RE: [ActiveDir] Changing MaxPageSize
> > > This serves as a very appropriate and timely reminder for my
> earlier
> > > post:
> > >
> > > Those of you that are coming to MVP summit: I implore you to push
> AD
> > > team to
> > > finally fix this one. There was a good proposal on the table... If
> > they
> > > do
> > > it, then the paging can be hidden at the server side (basically, AD
> > > devs do
> > > it once, instead of pushing app devs to do it many times in their
> > > apps).
> > > Those of you with strong influence on MSFT (meaning you are
> wielding
> > > large
> > > customers), you can do this too. Then this age-long question will
> be
> > > finally
> > > put to rest.
> > >
> > >
> > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David
> Cliffe
> > > Sent: Tuesday, April 15, 2008 8:06 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Changing MaxPageSize
> > >
> > > Nothing new here. My client has one application which cannot
> utilize
> > > paging, so we dedicated a DC for it and defined a custom query
> policy
> > > which
> > > applies only to that DC. Also it is configured not to register any
> > SRV
> > > records [except for GUID ldap name and CNAME (replication with
> other
> > > DCs)],
> > > and runs no other apps/services, so I've tried to limit its client
> > > facing
> > > activity as much as possible. They were willing to dedicate the
> h/w
> > > and
> > > understand the implications, which was good enough for me. I don't
> > > miss a
> > > chance to tell them how bad it is and how easy would be to overcome
> > the
> > > risk - they usually come back with "it won't be for that much
> > longer".
> > > It's
> > > been 7 years now LOL (the good news is it honestly has not
> caused
> > a
> > > problem on that DC to date).
> > >
> > > -DaveC
> > >
> > > ________________________________
> > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jef
> Kazimer
> > > Sent: Tuesday, April 15, 2008 10:39 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: [ActiveDir] Changing MaxPageSize
> > > Hi All,
> > >
> > > yesterday I had stumbled upon a blog post suggesting to resolve the
> > > 1,000
> > > result limit when querying AD, one should increase the MaxPageSize
> > > value.
> > > I personally think this is a bad idea, but in response, they asked
> > how
> > > one
> > > can achieve the results without changing maxPageSize.
> > >
> > > So I wrote up what I thought could be done here:
> > > http://jeftek.com/iam/activedirectory/avoid-changing-the-
> maxpagesize-
> > > ldap-query-policy/
> > >
> > > Essentially the only ways I could think of would be to utilize the
> > > Paging
> > > LDAP control, but if the application doesn't support that, I also
> > > suggested
> > > creating tighter, more exacting queries. If you have to change
> > > maxPageSize
> > > (and all the issues that go with it), do so on an isolated DC
> > > specifically
> > > for the application if it was that critical.
> > >
> > > Are there any other ways people have used to achieve this when the
> > > application is incapable of paging, and they won't budge?
> > >
> > > Thanks,
> > >
> > > Jef
> > >
> > > This email was sent to you by Reuters, the global news and
> > information
> > > company.
> > > To find out more about Reuters visit www.about.reuters.com
> > > Any views expressed in this message are those of the individual
> > sender,
> > > except where the sender specifically states them to be the views of
> > > Reuters
> > > Limited.
> > > Reuters Limited is part of the Reuters Group of companies, of which
> > > Reuters
> > > Group PLC is the ultimate parent company. Reuters Group PLC -
> > > Registered
> > > office address: The Reuters Building, South Colonnade, Canary
> Wharf,
> > > London
> > > E14 5EP, United Kingdom
> > > Registered No: 3296375
> > > Registered in England and Wales
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|