Search code examples
ldapldap-querynetscape

Netscape LDAP API to get the Maxpagesize from Microsoft AD

As Microsoft AD has maxpagesize property, which is used to return the max records per page from directory to client. So if we want to fetch more records (than configured to maxpagesize) from Microsoft AD, we need to do pagination.

So to achieve this we wanted to read this value of maxpagesize at client side through Netscape API. So could you please help us on this. is it really possible otherwise we need to configure the pagesize at UI.

Thanks, Hrushi

Solution

  • The MaxPageSize is part of the LDAP policy in Active Directory and since Windows Server 2008 R2 or Windows Server 2008 domain controller the hardcoded limits dictate MaxPageSize=20,000 and MaxValRange=5,000.

    The value can be read from:

    dn: CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mad,DC=example,DC=com

    But Real life is never that simple.

    LDAP policies are specified using the lDAPAdminLimits attribute. The lDAPAdminLimits attribute of a queryPolicy object is a multivalued string where each string value encodes a name-value pair. In the encoding, the name and value are separated by an "=". For example, the encoding of the name "MaxActiveQueries" with value "0" is "MaxActiveQueries=0". Each name is the name of an LDAP policy, and the value is a value of that policy.

    There can be multiple queryPolicy objects in a forest. A DC determines the queryPolicy object that contains its policies according to the following logic:

    • If the queryPolicyObject attribute is present on the DC's nTDSDSA object, the DC uses the queryPolicy object referenced by it.

    • Otherwise, if the queryPolicyObject attribute is present on the nTDSSiteSettings object for the site to which the DC belongs, the DC uses the queryPolicy object referenced by it.

    • Otherwise, the DC uses the queryPolicy object whose DN is "CN=Default Query Policy,CN=Query-Policies" relative to the nTDSService object (for example, "CN=Default Query Policy, CN=Query-Policies, CN=Directory Service, CN=Windows NT, CN=Services" relative to the root of the config NC).

    And Finally MaxPageSize in Windows Server 2008 and Windows Server 2008 R2 (and I assume later) has a Hardcoded limit which override LDAP policy in Active Directory setting when the policy value should be higher.