检索大型 AD 组的所有成员 [英] Retrieve All Members of Large AD Groups

问题描述

使用 Microsoft Active Directory 和 Unboundid SDK，并且有一个拥有 >29k 成员的群组.

Working with an Microsoft Active Directory and Unboundid SDK and there is a group with >29k members.

我正在尝试利用范围值来获取所有组，但无法确定何时到达.

I am trying to utilize the range values to get all the groups, but can not determine when the end has been reached.

我正在使用这种方法:(更新到工作代码)

I am using this method: (Updated to working code)

  public static List<String> getAttributeRangeBasedSearch(LDAPConnection ldc, String basedn, String filter, int step, String return_attribute) throws LDAPException
{
List<String> allValues = new ArrayList<String>();
// initialize counter to total the group members and range values
int allvalues = 0;
int start = 0;
// int step = 1000;
int finish = step - 1;
boolean finallyFinished = false;
String range;
// loop through the query until we have all the results
while (!finallyFinished)
{
    range = start + "-" + finish;
    String currentRange = return_attribute + ";Range=" + range;
    String range_returnedAtts[] = { currentRange };
    SearchRequest searchRequest = new SearchRequest(basedn, SearchScope.BASE, filter, range_returnedAtts);
    List<SearchResultEntry> rangedEntries = ldc.search(searchRequest).getSearchEntries();
    for (Iterator<SearchResultEntry> iterator = rangedEntries.iterator(); iterator.hasNext();)
    {
    SearchResultEntry searchResultEntry = iterator.next();
    Collection<Attribute> allAttribute = searchResultEntry.getAttributes();
    for (Iterator<Attribute> attributeIterator = allAttribute.iterator(); attributeIterator.hasNext();)
    {
        Attribute attribute = attributeIterator.next();
        log.debug("---> " + allvalues + ": " + attribute.getName());
        if (attribute.getName().endsWith("*"))
        {
        currentRange = attribute.getName();
        finallyFinished = true;
        }
        String[] attributeBatch = searchResultEntry.getAttributeValues(currentRange);
        for (int i = 0; i < attributeBatch.length; i++)
        {
        allValues.add(attributeBatch[i]);
        log.debug("-- " + allvalues++ + " " + attribute.getName() + ":" + attributeBatch[i]);
        }
    }

    }// for SearchResultEntry
    start = start + step;
    finish = finish + step;
}// finallyFinished
return allValues;
}

有什么想法吗?

谢谢-吉姆

推荐答案

我得到了一些工作，但过程非常困难，目前我正在使用硬编码值作为步骤，因为这可以动态地更改为默认值1,500 到 5,000 的硬编码限制.

I got things working, but the process is very difficult and currently I am using a hard coded value for the step as this could be dynamically changed formt he default of 1,500 to a hard coded limit of 5,000.

我无法动态确定该值.似乎，如果它没有在以下位置定义:CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,forest root 则必须是默认值，默认值也因所使用的 Microsoft Active Directory 版本而异.

I have not been able to determine the value dynamically. Appears, maybe, that if it is not defined at: CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,forest root then is must be at defaults, which the default, also varies based on which version of Microsoft Active Directory is being used.

MSDN 中还描述了关于某种控制这可能会有所帮助，但没有关于如何使用它的信息.有人用过这个吗?

There is also described in MSDN about some sort of control that might help, but no information on how it could be used. Anyone ever use this?

LDAP 策略是使用 lDAPAdminLimits 属性指定的.

LDAP policies are specified using the lDAPAdminLimits attribute.

queryPolicy 对象的 lDAPAdminLimits 属性是一个多值字符串，其中每个字符串值编码一个名称-值对.在编码中，名称和值以="分隔.例如，值为0"的名称MaxActiveQueries"的编码是MaxActiveQueries=0".每个名称都是 LDAP 策略的名称，值是该策略的值.AD 林中可以有多个 queryPolicy 对象.DC 根据以下逻辑确定包含其策略的 queryPolicy 对象:

The lDAPAdminLimits attribute of a queryPolicy object is a multivalued string where each string value encodes a name-value pair. In the encoding, the name and value are separated by an "=". For example, the encoding of the name "MaxActiveQueries" with value "0" is "MaxActiveQueries=0". Each name is the name of an LDAP policy, and the value is a value of that policy. There can be multiple queryPolicy objects in a AD Forest. A DC determines the queryPolicy object that contains its policies according to the following logic:

• 如果 DC 的 nTDSDSA 对象上存在 queryPolicyObject 属性，则 DC 使用它引用的 queryPolicy 对象.
• 否则，如果 DC 所属的 Active Directory 站点的 nTDSSiteSettings 对象上存在 queryPolicyObject 属性，则 DC 将使用 Active Directory 站点引用的 queryPolicy 对象.
• 否则，DC 使用 DN 为CN=Default Query Policy,CN=Query-Policies"的 queryPolicy 对象相对于 nTDSService 对象(例如，CN=Default Query Policy, CN=Query-Policies, CN=Directory Service, CN=Windows NT, CN=Services" 相对于配置 NC 的根).

这篇关于检索大型 AD 组的所有成员的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！