Uploaded image for project: 'LDAP'
  1. LDAP
  2. LDAP-59

Active Directory groups with more than 1500 members don't properly synchronize with XWiki Groups

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 9.3
    • None
    • Authenticator
    • None
    • Unknown
    • N/A
    • N/A

    Description

      The issue reproduces for a LDAP group with 1716 members which didn't properly synchronize with the XWiki Group.

      As softec investigated:

      AD has a limitation on the number of attribute values returned by a query, and require that a range value is used for attribute having more than 1500 values.
      XWiki does not seems to support properly group of that size, this is a limitation of the product.
      The retrieval of group members is done with a single query, similar to:

      -b "<group dn>" '' objectClass uniquemember memberuid member sAMAccountName

      and to retrieve properly member of a large group, the following would be needed:

      -b "<group dn>" '' objectClass uniquemember memberuid 'member;range=1500-2000' sAMAccountName

      Using ldapsearch, it automatically limit the range to 0-1499, but without any range, apparently no value of attribute member is returned.
      As a result, the group is seen empty.

      Attachments

        Activity

          People

            tmortagne Thomas Mortagne
            ibalan Iulia Balan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: