#1 2010-12-21 11:37:58

**_dddugan_**

LDAP page size bug in Connect v8?

Hello, fellow Connect admins. I'm trying to set up LDAP sync with Connect 8 (against Active Directory). The sync succeeds, but seems to only process the first page worth of accounts, as configured in "LDAP Entry Query Page Size Limit". Meaning if I set this to 500, I get 500 successfully sync'd. If I set it to 100, I get 100 sync'd. But the system does not appear to be processing subsequent pages. We have a few tens of thousands of accounts.

This is the first time we've tried to do LDAP with Connect, but I see there was a previous bug in v7, fixed in v7 SP1. The 7SP1 release notes say:
[1868328] (Licensed) Resolved issue with improperly observing setting for LDAP Entry Query Page Size Limit.

Is anyone using LDAP sync with version 8 successfully? I'm thinking the bug may have resurfaced.

Thanks, all.

**_mobcdi_**

Re: LDAP page size bug in Connect v8?

I managed to sync C8 with active directory. I am syncing to the global catalog and it managed to pull in about 20k accounts with a daily recheck to catch any new accounts

What did your preview sync look like?

**_dddugan_**

Re: LDAP page size bug in Connect v8?

Thanks for the response. Preview matches the result -- no warnings and shows just the one page-size worth of accounts.

I spent about 70 minutes with Adobe support yesterday with no success. They could find no reported bug in their system, and supposedly did successful test sync's with two different Connect 8 builds against AD. They suggested that our AD may not be paging correctly, but I find that hard to believe.

FYI, We are at Windows Server 2008 forest and domain functional level. We require LDAPS for simple binds. LDAP url looks like "ldaps://dcname.domain.edu:636".

After I got off the phone with Adobe I went to our production 7.5 SP1 install (8 is trial license for testing) and set up the same directory service settings, minus being enabled for authentication. I only previewed here, but the preview looks the same as on v8 -- no warnings and shows just the one page-size worth of accounts. So it's not unique to 8 and may well be something unique to our environment, or some kind of edge case bug that's been present for a while.

There is talk now about not sync'ing all accounts and just letting them be created on login, with the option for us to pre-create select batches of users where we need to set permissions prior to first login. But we aren't set on this path yet.

Any further suggestions, or information I can provide?

Cheers.

**_mobcdi_**

Re: LDAP page size bug in Connect v8?

Not really able to give much details about our forest because I don't know them other than to say I am syncing using simple authentication to the ldap://dc.domain.edu:3268  using a AD account username & password and a timeout of 120 seconds with a ldap page size of 100. I am only searching 2 branches of the directory for users and map the sAMAccountName, givenName, sn & UserprincipalName to the connect fields

You probably know more about AD than me but did you try ldp.exe to see if your account details return more than 100 users at a time?

**_dddugan_**

Re: LDAP page size bug in Connect v8?

Adobe was trying to have me use a Softerra LDAP product to test paging, but you've motivated me to verify with ldp.exe, which I am familiar with. It does work, using same connection/bind method. Here's a quick rundown (typing up so I can send to Adobe):

Start ldp.exe...
Connection, Connect...
dcname.domain.edu, 636, SSL
(should equate to ldaps://dcname.domain.edu:636)
<ok>

Connection, Bind...
DOMAIN\username
<password>
Simple bind
<ok>

Browse, Search...
DC=domain,DC=edu
(sAMAccountName=s*)
Subtree
Options...
Size limit 10000
Page size 1000
Search call type Paged
<ok>
<Run>
...returns the first 1000 records...
<Run> again returns next 1000 records...
etc.

Also, in Connect we've been using email address for login, so when setting up LDAP I mapped userPrincipalName, givenName, sn, userPrincipalName. (Because our 'mail' attribute has an extra @mail. portion that we don't want in the login.)

mobcdi, if your environment happens to have LDAPS set up for your DCs, I'd love to hear if a preview works for you with ldaps://dc.domain.edu:3269 or ldaps://dc.domain.edu:636. Unfortunately we have prohibited ldap (non-ssl) simple binds, so I can't match your working setup.

Thanks.

**_mobcdi_**

Re: LDAP page size bug in Connect v8?

It's going to be the new year before I could test ldaps or even find out its an option but would like to move to it shortly.

Sorry I can't help more at the moment

Last edited by **_mobcdi_** (2010-12-23 09:13:44)

**_mrock66_**

Re: LDAP page size bug in Connect v8?

After you do a preview check your debug.log and it will tell you if it got hung up on something. Debug.log will show a much more useful error.  If you need help email me.