Connecting the world…

maxpagesize

RSA LDAP query failed

While configuring a LDAP mapping for a RSA Authentication Manager 6.1 with an Active Directory Domain Controller, I received the following error while running the Synchronisation task

c:\RSA\prog\sdldapsync.exe -j 102

“[LDAP search] Search failed (check Base DN)”

At first I thought about a typo while configuring the Synchronisation task. To test the LDAP connection with the domain controller I installed Softerra’s LDAP Browser. With this tool the LDAP connection is working perfectly when using the same credentials, BaseDN and LDAP Query Filter.

After searching the internet I found the MaxPageSize issue in Windows. I reported the same issue in a blog about eSafe and LDAP. When running the sdaceldap command you can see that the MaxPageSize is reached by the LDAP query.

Correct usage: sdaceldap <-h hostname> <-p port> [-b basedn] [-s scope] [-d import|compare] [-o output file] [-m schema map file] <-D binddn -w passwd> <-Z -P path> filter

 

C:\RSA\utils\toolkit>sdaceldap.exe -h 10.1.1.100 -p 389 -b ou=Users,dc=booches,=nl -s sub -d import -o AD_Users.csv -m active.map -D SA_LDAP@booches.nl -w LDAP_passwd “objectclass=user”

 

Host: 10.1.1.100
Port: 389
Distinguished Name: ou=Users,dc=booches,dc=nl

Scope: sub
Mode: import
Output Filename: AD_Users.csv
Mapfile: active.map
Bind: SA_LDAP@booches.nl
Filter: objectclass=user

Starting Import:

ldap_search_s Sizelimit exceeded

The output shows that the Sizelimit is exceeded. I find a tool on the internet which can be used to retrieve the MaxPageSize from a Windows machine. This tool is called AdFind.

Executing this tool on the Domain Controller tells me the MaxPageSize is set to 2000.

c:>adfind -e -config -f “&(objectcategory=querypolicy)(name=default quer
y policy)” ldapadminlimits

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc01.booches.nl:389
Directory: Windows Server 2003
Base DN: CN=Configuration,DC=booches,DC=nl

dn:CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,
CN=Services,CN=Configuration,DC=booches,DC=nl
>lDAPAdminLimits: MaxPageSize=2000
>lDAPAdminLimits: MaxReceiveBuffer=10485760
>lDAPAdminLimits: MaxDatagramRecv=1024
>lDAPAdminLimits: MaxPoolThreads=4
>lDAPAdminLimits: MaxResultSetSize=262144
>lDAPAdminLimits: MaxTempTableSize=10000
>lDAPAdminLimits: MaxQueryDuration=120
>lDAPAdminLimits: MaxNotificationPerConn=5
>lDAPAdminLimits: MaxConnIdleTime=900
>lDAPAdminLimits: InitRecvTimeout=120
>lDAPAdminLimits: MaxConnections=5000

1 Objects returned

To minimize the number of objects that are returned in a single search I configured a LDAP Query Filter, which is shown below:

(&(&(&(objectClass=user)(objectClass=person))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(!(objectClass=computer)))

or the equivalent

(&(objectClass=user)(objectClass=person)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!objectClass=computer))

This query has the following properties. The object should have the objectClasses user AND person AND the account should NOT be disabled AND should not contain the objectClass computer. This already excludes some objects, like workstations and servers.

More information about the MaxPageSize and the way to change the value can be found here. More information about Limiting LDAP Searches with MaxPageSize can be found here.

LDAP and eSafe Gateway

eSafe Gateway can be used for scanning incoming and outgoing SMTP connections for virusses and SPAM. Normally eSafe Gateway doesn’t check incoming mail addresses against a directory like Active Directory or Novell Directory Services.

This means that all mail addresses for a trusted domain are forwarded to the internal mail server. In the most ideal situation unknown mail addresses should be blocked at the eSafe Gateway. This feature will take away load from the internal mail server, because this mail server doesn’t have to generate NDR (Non-Delivery Reports) messages. Beside that, the eSafe Gateway also doesn’t have to process the NDR’s. LDAP (Lightweight Directory Access Protocol) provides this functionality.

With LDAP configured, the eSafe Gateway will synchronize all known mail objects from the directory services with the eSafe Gateway. By this, the eSafe Gateway knows all valid mail objects and can block invalid mail objects. There are some issues when configuring a LDAP query with Active Directory. By default Active Directory only allows 1000 objects in one query. Some customers have more mail object, so this settings needs to be added. Inside Active Directory, you should edit the LDAP Policy setting MaxPageSize. Look here for more information about editing the MaxPageSize variable.

Some organizations use PublicFolders in conjunction with Microsoft. These PublicFolders can be mail-enabled and should be added in the LDAP filter configuration inside eSafe Gateway. This is done by changing the default filter

(&(|(objectClass=person)(objectClass=contact)(objectClass=organizationalPerson))(!(objectClass=computer)))

in

(&(|(objectClass=person)(objectClass=contact)(objectClass=organizationalPerson)(objectClass=publicFolder))(!(objectClass=computer)))

This results in adding the mail object PublicFolder to the LDAP query.