ADAM restrict number of entries to return from a search operation

ADAM restrict number of entries to return from a search operation: Posted by francois reichenbach on December 31st, 2003; Hello,

Current solution (on iPlanet):
For now we use iPlanet. We have to limit the number of entries an anonymous
user can obtain in one search operation to 10 entries.
This is done with the "sizelimit" parameter set to 10 in iPlanet slapd.conf.
The scope is at instance level and for all users (excepted "directory
manager" and some internal users).

Best matching on ADAM (based on adam.chm study):
Instead of 10 entries define an estimated number of bytes.
Enter this value (using ADAM Command Line took DSMGMT) in "LDAP Policy"
MaxResultSetSize
In fact "LDAPAdminLimits" multivalued attribute from the "Default Query
Policy".
We have set the MaxResultSetSize to a ridiculous value of 20 bytes to check.
Nothing has been modified in the area of policies after installation of
ADAM.

Q1: the "Default Query Policy" with limited MaxResultSetSize=20 seems not to
be applied to a ADAM user registered as "Reader" making a search.
Is there a step missing to make this policy work?

Q2: Can somebody imagine a more accurate solution the limitation of the
number of entries per search?

Q3: Is there a way to reduce de scope of the policy to a subset of the
directory?
When not, this will require a seperate replication of the subset on a
different instance for our anonymous users (limited in MaxResultSetSize).

Thanks for any suggestion.

Regards; Posted by Dmitri Gavrilov [MSFT] on January 3rd, 2004; LDAP policies apply to both ADAM and Windows users. Although I think they
don't apply to admins. Is your ADAM user an admin also?

The policy you need to set is MaxPageSize. This will affect both paged and
non-paged searches.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"francois reichenbach" <francois.reichenbach@unifr.ch> wrote in message
news:##C3Vd3zDHA.1996@TK2MSFTNGP12.phx.gbl...; Posted by francois reichenbach on January 5th, 2004; The MaxPageSize is restricting the number of entries returned. Thank you
very much for your support.

Now I have the restriction set, I need to allow some users to have full
access the whole dataset.
At least as admin to do some ldifde.

I have created users in ADAM and also created userproxy users to our windows
domain.
These users have been added in the member attribute
of "CN=Administrators,CN=Roles,DC=xxxx,DC=yy" {where dc=xxxx,dc=yy is the
partition name}.

I can successfully bind with these users, but the number of entries is now
restricted to the value set at MaxPageSize.

Do I miss some other steps?

Thank you for your help.

Francois Reichenbach

"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:OE0wU0c0DHA.2676@tk2msftngp13.phx.gbl...; Posted by Dmitri Gavrilov [MSFT] on January 5th, 2004; Sorry, you can not set up per-group policy here. MaxPageSize applies to all
users... You could temporarily disable the restrictions when you need to do
large searches.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"francois reichenbach" <freichen@bluewin.ch> wrote in message
news:OqJeed60DHA.1744@TK2MSFTNGP12.phx.gbl...; Posted by Dmitri Gavrilov [MSFT] on January 5th, 2004; BTW, why are you trying to limit the number of entries returned? To protect
the server from DoS attacks? Keep in mind that just limiting the size of the
search does not really protect you from using server resources. For example,
an anonymous user could request the resultset to be sorted on a non-indexed
attribute. In this case, we would build the complete resultset in a temp
table before returning anything to the user. At the same time, there are
policies restricting the size of temp tables, how long a query can run and
such.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:umcITg80DHA.3116@TK2MSFTNGP11.phx.gbl...; Posted by francois reichenbach on January 6th, 2004; Hello,

I made some tests using the tools delivered with ADAM:

1. LDP
is restricted by the MaxPageSize value, even when the user is the domain
administrator

2. ADSIEdit (ADAM release)
is not restricted by the MaxPageSize value (using the current user on the
server, in fact the domain administrator)

3. LDIFDE (ADAM release)
seems not to be restricted by the MaxPageSize value, as long the "-g"
{disable paged search) parameter is not used.

It seems possible to become an exception.
It would be very nice to know how:

Thank you for any help.

Best regards

"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:umcITg80DHA.3116@TK2MSFTNGP11.phx.gbl...; Posted by francois reichenbach on January 6th, 2004; Hello Dmitri,
This kind of limiting strategy is real legacy.
You are perfectly right.
I am trying to get that modified.
I make no bets on this success.
Thanks for the advice.
Best regards.

"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:%23ur9Xu80DHA.1736@TK2MSFTNGP09.phx.gbl...; Posted by Dmitri Gavrilov [MSFT] on January 6th, 2004; MaxPageSize applies to both paged and non-paged searches. Each search
operation returns MaxPageSize number of entries at most.

Maybe you did not correctly set the string value of LDAPAdminLimits? There
is a delay for the policy to take effect after the value is set but this
does not seem to be the problem. If their paged search result is restricted
by the new MaxPageSize, then it will apply to other searches as well.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"francois reichenbach" <freichen@bluewin.ch> wrote in message
news:O0#3rhH1DHA.832@TK2MSFTNGP09.phx.gbl...; Posted by Dmitri Gavrilov [MSFT] on January 6th, 2004; Something was just made clear to me: when you do a paged search, you will
not necessary get the exact page size that you requested (1000 or whatever).
You will get several entries and a cookie. When you continue the paged
search, you will restart from the point where you left.

So, when MaxPageSize is set, and you do a paged search, you get at most
MaxPageSize per request, but you still can retrieve the whole resultset, if
you get_next_page enough times.

This explains 2 and 3: ADSIEdit uses paged searches, and so does LDIFDE
without -g.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:#AeNzWI1DHA.1676@TK2MSFTNGP12.phx.gbl...

Similar Posts

sending the result of a search operation to a flat file (Microsoft Windows) by Naveen
Limiting number of ARP entries for 802.1q subinterfaces (Routers) by Everton
FetchXML schema - specifiying number of records to return (Windows CRM) by Chris Ericoli
Is there a limit on the number of entries for a picklist? (Windows CRM) by Kyaw
ADAM : Performances differences between AD and ADAM (Windows 2003) by Eoin Mooney