1

I'm querying a rather large ldap user dataset. And I really have no way around it. I've built other smaller query's that could filter by groups, managers and other key pieces of information, but now this one query requires that I look through all users in the company (+100,000 users). The returned result set goes into a jquery autocomplete box. So that this list doesn't go completely crazy I'm using the sixth ldap_search param which allows you to limit the number of returned results. Basically if the user doesn't yet see the user they need then they should supply more characters.

$sr=ldap_search($ds, $dn, $search, $filter,0,15);

Problem is that if the limit is reached on the ldap_search, then it returns a warning message with the dataset to tell you that this is not ALL results were returned. This breaks the population of the autocomplete box. I want to be able to ignore the warnings when there are more results than the limit is configured for.

**The gotcha is that I don't want to eliminate all error messages returned from the ldap_search function. So using the php '@' suppression method is out of the question.

Does anyone know another way of dealing with this?

Alex
  • 90
  • 1
  • 9
  • In regards to the gotcha, in what way are you using the other error messages? You could suppress with `@` but check `$sr` for false and then use `ldap_error()` to check it. Does the data have to be real-time? You could potentially periodically query LDAP for all results, cache them, then query against the cached results as needed. Though that would take quite a bit more logic to accomplish. – ChadSikorra Apr 22 '16 at 18:35
  • To answer your first question: Just because of the way the org is setup, various depts get to submit info for their own employees to AD. Most frequently when pulling the employee picture down is when I encounter things like the dataset being too large for the local cache and so the whole php ldap query throws an error. That's just one example, but those are the kinds of things I'm handling. – Alex Apr 25 '16 at 13:02
  • Which brings me to what you said. In the cases that I've tested so far, using the ldap_error() will allow me to monitor the events I'm currently tracking. So this is perfect! Thank you. Do you want to submit it as an answer so I can mark it correct? – Alex Apr 25 '16 at 13:03
  • All set. I also added an example of the paging method that was mentioned. – ChadSikorra Apr 26 '16 at 15:56

2 Answers2

1

Depending on the LDAP server that you are communicating with, it may support the paged search results and/or virtual list view (VLV) controls. Both of these can be used to paginate through a large search result set. You can see some discussion on this here (though the examples are in Java): LDAP: How to return more than 1000 results (java)

There seems to be support for the paged result control in PHP, see: http://php.net/manual/it/function.ldap-control-paged-result.php

I hope this helps.

Community
  • 1
  • 1
Bertold Kolics
  • 892
  • 6
  • 11
1

Per the comment I made, you could suppress with @ but check $sr for false and then use ldap_error() to check it:

$sr = @ldap_search($ds, $dn, $search, $filter, 0, 15);

if (!$sr) {
    $error = ldap_error($ds);
    $code = ldap_errno($ds);
    echo "($code) $error";
} else {
    // do something with the results...
}

That way you can suppress the errors from the LDAP functions but still display/log the error message/code if needed.

Another way to do this would be by using paging:

// Force LDAP to return sets of 15 results at a time
ldap_control_paged_result($ds, 15);

$sr = ldap_search($ds, $dn, $search, $filter, 0);
$entries = ldap_get_entries($ds, $sr);

// Reset the page control so you don't interfere with other searches
ldap_control_paged_result($ds, 0);

The above also assumes you're using LDAP v3 and have already made the needed ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); call somewhere in your code after the ldap_connect().

ChadSikorra
  • 2,829
  • 2
  • 21
  • 27