LDAP Active Directory list users

Stemon63 · 2023-09-06 15:09:07

Hi,
I have used this code for extract a list of users of an Active Directory.
Congratulations, really fast!
But it return only the first 1000 elements, while the users are 16000.
What am I doing wrong? Or is there a preset limit?

Thanks in advance!

with TLdapClient.Create do
  try
      if BindSaslKerberos then
            memo1.Lines.Add(' authenticated via Kerberos');
      //Search(WellKnownObjects.Users, false, '', []);
      tmpBaseDN := 'OU=GroupA1,DC=dmlocaltest,DC=com';
      Search(tmpBaseDN, false, '', []);
      memo1.Lines.Add(SearchResult.Dump);
  finally
      Free;
  end;

Last edited by Stemon63 (2023-09-06 15:09:29)

ab · 2023-09-06 15:30:39

I guess you need to use paging, i.e. ask for more results with additional calls.

Stemon63 · 2023-09-06 16:44:32

Ok, Ab.
There is anny little example of a paging ? Thanks in advance!

(I take advantage: in function TLdapClient.GetUserInfo(const AN, DN, UPN: RawUtf8;
out Info: TLdapUser; const BaseDN: RawUtf8; WithMemberOf: boolean;
const CustomAttributes: TRawUtf8DynArray): boolean;

Param UPN Declared but never used)

Thanks a lot :-)

ab · 2023-09-07 06:51:59

You should set SearchPageSize to a number of items per chunk.
Then call Search() again until it is eventually empty.
And don't forget to reset SearchCookie to '' for the next query. And SearchPageSize back to 0 to disable paging.

I have added the new TLdapClient.SearchBegin/SearchEnd wrapper methods, which may help.
See https://github.com/synopse/mORMot2/commit/6b496795

About the UPN, see https://github.com/synopse/mORMot2/commit/bef7b085

Stemon63 · 2023-09-11 10:46:14

Hi Ab.
Thanks, It works.
Although it took some time to understand that it was the cookie that should return empty :-)
However I take advantage of a small oversight: in .GetUserInfo, .userPrincipalName is always empty in out Info: LdapUser.
Thanks a lot for help :-)

vs · 2023-11-19 12:59:49

Hi Ab.

The call

TLdapClient.GetGroupInfo('', vBaseDN, vLdapGroup, '', True);

Successfully returns the corresponding group (vLdapGroup) with N members.
One of the member from this group has DN returned by vLdapGroup.member[k] kind of 'CN=Super User,OU=1\+2 MEDIA,OU=Domain Users,DC=1plus2,DC=corp';

To determine sAMAccountName for this user, the next call

TLdapClient.GetUserInfo('', vLdapGroup.member[k], '', vLdapUser);

returns an error
Invalid input name: CN=Super User,OU=1\+2 MEDIA,OU=Domain Users,DC=1plus2,DC=corp

If I remove \ before +, then such a user does not exist.
The actual name of this OU is "1+2 Media" without quotes.

How to correctly call a TLdapClient.GetUserInfo with such a parameter?

In continuation of our conversation, this is not a problem of non ASCII characters, rather this is a problem of special characters for AD.

Thanks a lot.

ab · 2023-11-20 08:35:47

The current code refuses to create such requests, IIRC.
This was made on purpose to avoid injection.

I will look into it.

ab · 2023-11-20 16:09:58

Please try https://github.com/synopse/mORMot2/commit/5a61008e

I was not able to find an AD to reproduce your problem, but at least it should pass the right parameter, and I was able to use escaped chars in the DN value on Samba.

Which kind of AD is it using? (MS/Samba?)

vs · 2023-11-20 20:12:13

It is MS.
I tried it, but unfortunately parameter passes, but TLdapClient.GetUserInfo returns false.
I.e. Search returns true but SearchResult.Count = 0.

ab · 2023-11-20 20:32:14

Did you try both OU=1\+2 MEDIA and OU=1+2 MEDIA content?

Can you enable the application console, and define a ASNDEBUG conditional and report the output to the console during the search?

vs · 2023-11-20 21:14:11

ab wrote:

Did you try both OU=1\+2 MEDIA and OU=1+2 MEDIA content?

Yes. Same results.

ab wrote:

Can you enable the application console, and define a ASNDEBUG conditional and report the output to the console during the search?

Sorry. I do not have permission to publish the log of communication with the corporate AD server. Can I send the log to your email address?

ab · 2023-11-21 07:25:25

Yes, you can send it to me by email.

vs · 2024-01-05 14:50:51

Hi Ab.
Was the log I sent useful?

ab · 2024-01-05 15:13:50

Sorry for the non-response.

I remember having looked at the issue, but I don't remember if I succeeded into fixing it.
Could you try with the last version of mORMot?

vs · 2024-01-05 17:30:24

For today's commit, "2.2.6617" works fine. Thank you!
But strangely, I followed https://github.com/synopse/mORMot2/commits/master every day and did not see any changes regarding this issue.
Probably I was inattentive and missed it))))
That's why I decided to bother you today.

mORMot Open Source

#1 2023-09-06 15:09:07

LDAP Active Directory list users

#2 2023-09-06 15:30:39

Re: LDAP Active Directory list users

#3 2023-09-06 16:44:32

Re: LDAP Active Directory list users

#4 2023-09-07 06:51:59

Re: LDAP Active Directory list users

#5 2023-09-11 10:46:14

Re: LDAP Active Directory list users

#6 2023-11-19 12:59:49

Re: LDAP Active Directory list users

#7 2023-11-20 08:35:47

Re: LDAP Active Directory list users

#8 2023-11-20 16:09:58

Re: LDAP Active Directory list users

#9 2023-11-20 20:12:13

Re: LDAP Active Directory list users

#10 2023-11-20 20:32:14

Re: LDAP Active Directory list users

#11 2023-11-20 21:14:11

Re: LDAP Active Directory list users

#12 2023-11-21 07:25:25

Re: LDAP Active Directory list users

#13 2024-01-05 14:50:51

Re: LDAP Active Directory list users

#14 2024-01-05 15:13:50

Re: LDAP Active Directory list users

#15 2024-01-05 17:30:24

Re: LDAP Active Directory list users

Board footer