-7

Trying to pull the list of users from large AD Groups via Java - but only get 1500 back - how can I get all the users?

// Step1 method  - Pulling ADGroups from Active Directory
private static void getADGroups() {
    Hashtable<String, Object> env = new Hashtable<String, Object>(11);
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, "ldap://");
    env.put(Context.SECURITY_PRINCIPAL, "xxxx");
    env.put(Context.SECURITY_CREDENTIALS, "1233");
    env.put(Context.REFERRAL, "follow");

    LdapContext ctx = null;

    try {
        ctx = new InitialLdapContext(env, null);

        // Activate paged results
        int pageSize = 10000;
        byte[] cookie = null;
        ctx.setRequestControls(new Control[] { new PagedResultsControl(pageSize, Control.NONCRITICAL) });
        int total;

        do {
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
            String[] attrIDs = { "cn" };
            searchControls.setReturningAttributes(attrIDs);

            String searchBase = "OU=Groups,DC=cof,DC=ds,DC=com";
            String searchFilter = "CN=*Ranger*";
            /* perform the search */
            NamingEnumeration results = ctx.search(searchBase, searchFilter, searchControls);

            /* for each entry print out name + all attrs and values */
            int count = 0;
            while (results != null && results.hasMore()) {
                SearchResult entry = (SearchResult) results.next();
                //System.out.println(count + ")" + entry.getName());
                count = count + 1;
                String gname = entry.getName();
                //System.out.println("gname before split " + gname);
                String[] gnames = gname.split(",");
                gname = gnames[0];
                //System.out.println("gname after split - 1 " + gname);
                gname = gname.substring(3);
                //System.out.println("gname after split - 2 " + gname);
                groups.add(gname);
            }
            //System.out.println("count : " + count);

            // Examine the paged results control response
            Control[] controls = ctx.getResponseControls();
            //System.out.println("controls-size : " + controls.length);

            if (controls != null) {
                for (int i = 0; i < controls.length; i++) {
                    if (controls[i] instanceof PagedResultsResponseControl) {
                        PagedResultsResponseControl prrc = (PagedResultsResponseControl) controls[i];
                        total = prrc.getResultSize();

                        //System.out.println("total : " + total);

                        if (total != 0) {
                            //System.out.println("***************** 

                        cookie = prrc.getCookie();
                        //System.out.println("cookie : " + cookie);
                    }
                }
            } else {
                System.out.println("No controls were sent from the server");
            }

            // Re-activate paged results
            ctx.setRequestControls(new Control[] { new PagedResultsControl(pageSize, cookie, Control.CRITICAL) });

        } while (cookie != null);

    } catch (NamingException e) {
        System.out.println("PagedSearch failed." + e.getMessage());
        e.printStackTrace();
    } catch (IOException ie) {
        System.out.println("PagedSearch failed." + ie.getMessage());
        ie.printStackTrace();
    } finally {
        try {
            ctx.close();
        } catch (NamingException e) {
            System.out.println("PagedSearch failed (error occured in closing context)." + e.getMessage());
            e.printStackTrace();
        }
    }

}

// Step2 method - to pull users from ADgroups that we got for above
    private static void getGroupMembers(String groupName) {
        searchBase = "Ou=users";

        String returnedAtts[] = { "member" };
        searchControls.setReturningAttributes(returnedAtts);

        searchFilter = String.format("(cn=%s)", groupName);
        // System.out.println(searchFilter);

        getSearchResult();
        filterSearchResultsForGroupMembers(groupName);
    } // end of method.
`
Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
user3608823
  • 1
  • 1
  • 4
    You have given us pretty much no information to work with. Please include more details and your attempt at a solution. – slider Oct 24 '18 at 17:38
  • Probably your AD has a limitation of returning results. You must implementation kind of "paged LDAP" https://stackoverflow.com/questions/11311765/ldap-how-to-return-more-than-1000-results-java – Raphael Milani Oct 24 '18 at 17:44
  • Show your code. There should be a way to request the next page of results. AD will only send 1500 at a time. – Gabriel Luci Oct 24 '18 at 17:46
  • Your page size is 10000, which means that when it gets back 10000, it will ask for the next page. But because AD will only send 1500, it never reaches 10000 and so it will never ask for the next page. Set your page size to 1500 or lower. – Gabriel Luci Oct 24 '18 at 19:26
  • I was using 1000 always , I just updated to 10000 for testing but it gives the same output – user3608823 Oct 24 '18 at 20:41
  • I am using paged approach only for getting ADGroup as u I need to get more than 2000 groups which work fine, I do not have paged approach for pulling users from those groups. I did try to use it but it does not fetch me more than 1500. If anyone has sample code which works , please pass it to me. – user3608823 Oct 24 '18 at 20:47

1 Answers1

0

The key is where you request the member attribute. If you get back exactly 1500 results, you know there might be more. This is how you request the next batch:

String[] returnedAtts = { "member;range=1500-*" };

Then if you get exactly 1500 back again, you need to ask for more (`member;range=3000-*1). Keep asking for more until you get less than 1500 back.

So setup a loop with a counter and use that counter in the range string.

There is a full example here (search the page for "setReturningAttributes" to find that section of the code): https://community.oracle.com/thread/1157644

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84