Is there a switch or special sauce for vastool to get past the LDAP query limit?

Querying in AD via Microsoft tools - we can override the pagesize and return 10's of thousands of results over the 1000 default ldap limit.

Is there a way in vastool or it's environment variables to specify permission to exceed the default - as with the Microsoft Windows tools?

/opt/quest/bin/vastool -u host/ list -l users -pagesize 'aGazillion'

Parents
  • Hello,

    Page size hasn't really ever been a factor for our list -l command. For example in a lab with a large AD population I can return just this. 

    # /opt/quest/bin/vastool -u host/ list -l users | wc -l

    69572

    So there should not be an override required at all.

    Leigh Grant


  • Thanks for the response!  
    I sought clarification of the original question from the admin that brought it to my attention.

    This was a question posed by a Unix dev indicating that they perform a group membership query to determine if a user is a member of a group. They indicated that – using vastool, they are unable to get accurate results when the queried AD group membership exceeds 4000 members. I posed this question without immediate access to an *x host … but I’ll push back to that dev and do my own validation today.... as someone took pity - and provided me access to a corporate unix box for this work.

      … without testing a solution, my response to the customer was to query the user memberof propery rather than the group member property to determine a match… I’ve not heard back if that resolved their issue.

  • There are AD limitations around group member, that is 100% true. It's posed some interesting challenges for us to make sure we get full accurate counts in our cache. As for just getting a list I wonder if the script detailed in this KB aritcle might help?

    https://support.oneidentity.com/authentication-services/kb/66198

    The script defaults to using /bin/ksh in the shebang and I had to change it to /bin/sh for my setup but that seemed to work fine. 

    Leigh Grant

Reply Children
No Data