LDAP : cannot see all users or groups

Working with both sonicwall and bluecoat products we frequently come across issues where the client complains that after successfully interfacing the product to a Microsoft AD server via LDAP, they cannot see / browse / choose all the users/ groups that they have configured. There may be a couple of reasons for this, namely:

  • Permission issues: The user that you configure to bind to the LDAP server must have permissions to read all the required users and groups
  • LDAP filter issues: In 99% of deployments this is rarely the issue. But if you have an enterprising AD admin that changes the attributes associated with some groups, then you need to change the ldap filter accordingly. In wireshark you can observe which filter is being used by entering the display filter ldap.searchRequest. Drill down in the ldap layer. Most of the time the filter would be along the lines of : Filter: (&(objectClass=group)(cn=*))

However, another variable I was not aware of was the size limitation configured by default on Microsoft AD. Most often this is noticeable in wireshark also. using the filter ldap.searchResDone and again drilling down the ldap layer you will see a “sizeLimitExceeded” error.

ldap_error

 

I ran across this link:

http://support.kerio.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=232 

which pointed out the correct setting in Microsoft AD (MaxPageSize) to solve this issue.