Knowledge Base > Article [0074]

LDAP Paging

Since v5.7, DualShield has supported LDAP paging in its DMC. If you are a big company and have more than 10,000 AD users in total, then you may encounter the following error when you try to view users in DMC.

Figure 1

It is LDAP limitation on MS platform. You may be able to overcome it by adjusting the LDAP policy on MaxTempTableSize, if you have Windows 2000 or 2003 see the details in http://support.microsoft.com/kb/315071.

However, beginning with Windows Server 2008, hardcoded limits to LDAP policies have been implemented. These limits are significantly more aggressive than the configurable range in Windows Server 2003. Specifically, MaxReceiveBuffer, MaxPageSize,MaxQueryDuration,MaxTempTableSize and MaxValRange have been capped. So if you have configured these parameters to be significantly different from the default, you may run into these hard limits. 

Like me, your first thought would be, on this issue, MS goes from bad to worse! However, if you think twice, you would agree, the maximum value of 10,000 on is reasonable MaxTempTableSize, First it costs CPU and memory to the huge amount of data, second, you are not going to turn one page to the last page to see all the 10,000 records!

You may argue that you do have more than 10,000 users in your organization. Are they under a single level? I bet not! If yes, I would think it is a bad design. Generally you have a dozens of OU, in each OU, there are less than 10,000 users. In this case, you can still use the LDAP paging, just make sure you have "Single Level" in Users Search Scope.

 

 

During a test , we created 5 OUs, in each OU, we generated 5,000 users. As you can see we can still have paging on OU1 (page size = 30, total pages = 167)

In worst scenario, you do have more than 10,000 users in one branch (single level), you can disable paging to avoid the error shown in Figure 1.

 

However, it took much much longer to load the 1000 records (although we set the Query Limit as 5,000).

 

In conclusion, you can still use LDAP paging in DMC, as long as the branch you are viewing has less than 10,000 users.