Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Insight - Maximum attribute limit?

MarkAustinP
MarkAustinP September 12, 2019

Hello,

I am currently using LDAP import to populate Active Directory groups as well as the user membership of each group.  It works great on the first ~7xxx groups except for ~74 groups that do not list ANY members even though I know the membership count to be over ~1500.  I am unable to find any documentation on why this would be happening.  Might you be able to help?

You can see in the attached image that this (one of the offending) groups has inbound references on the right.  This is 1591 user objects that list this group as 'memberof'.  But these particular problem groups will NOT sync the membership of users.

Just to specify, this is NOT because of an issue with the selector in the ldap sync.  As I said, there are ~7000 groups that sync just fine and list the members according to my iql.  I have also checked for other possible issues like distinguished name being too long for the 'text' attribute type that would stop them from querying properly.  That is not a problem as nothing goes over 100 characters.  This just seems to be some arbitrary limit on the LDAP sync as this group (and 73 other groups that have over ~1500 user members) are unable to populate membership.

Thanks a bunch!

image.png

Here is an example of a working group:

image.png

Answer
Watch
Like Be the first to like this
998 views

1 answer

0 votes
MarkAustinP
MarkAustinP October 20, 2019

After looking into this issue again, it seems the LDAP query that feeds the import is most likely running into the default LDAP max page limit defined within Active Directory.  That default value is either 1000 or 1500 depending on the AD schema level.

While the page size can be altered on domain controller(s), it is generally not recommended by Microsoft as it can adversely affect other Active Directory operations and/or other apps that rely on timeouts and expected default limits.

With that said, it's sad to say I'll be stuck rolling my own, working query outside of Insight, having to query thousands of object records just to match up SamAccountNames with Insight record Key's, and then import the data explicitly.

What SHOULD be happening here with the Insight LDAP query is the use of range's.  For example - query is over 1000 error?  Okay take 0-999, store, take 1000-1999, store, etc until no more records..

https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/searching-using-range-retrieval?redirectedfrom=MSDN

Reply

Suggest an answer

Log in or Sign up to answer
Product apps
Apps & Integrations
TAGS
AUG Leaders

Atlassian Community Events

    See all events