AD-Group Range RegEx

[Domenik-E]

I am using ldapjs to retrieve all members in different AD-groups. Some of these groups contain more then 1500 members. In order to retrieve all member it is necessary to work with range retrievals.

If i try to add a range like member;range=1500-2000 to the attributes list i receive the following error: "message": "attribute must be a valid string". It looks like the evaluation regex does not support the '=' symbol.

Thanks.

[jsumners]

Attribute options are defined by https://www.rfc-editor.org/rfc/rfc4512#section-2.5:

An attribute description is represented by the ABNF:

 attributedescription = attributetype options
 attributetype = oid
 options = *( SEMI option )
 option = 1*keychar

And keychar is defined by https://www.rfc-editor.org/rfc/rfc4512#section-1.4:

keychar = ALPHA / DIGIT / HYPHEN
...
ALPHA = %x41-5A / %x61-7A ; "A"-"Z" / "a"-"z"
DIGIT = %x30 / LDIGIT ; "0"-"9"
HYPHEN = %x2D ; hyphen ("-")

https://github.com/ldapjs/messages/blob/e0b8f8f5617f8e1880717e6ef8e5da1a5f7adb0e/lib/messages/search-request.js#L28-L42 adheres said spec. Where is the spec that defines range=<x>-<y> as being valid?

[jsumners]

Closing due to lack of response.

[RajyashreeChat]

I am facing the same issue. On trying to retrieve members of an AD Group with more than 1500 members, I was earlier using the below options with ldap version '2.3.3' and was getting the correct output but after upgrading to version '3.0.2' the range functionality inside the attribute stopped working and it started throwing "Error: attribute must be a valid string".

Is there some change in version 3.x which is stopping us from using this functionality, if yes what should be the new correct way to retrieve members of a group with more than 1500 members? Or is there some alternate way to retrieve this member list?

let opts = {
filter: cn=${cnValue},
scope: 'sub',
attributes: [ 'member;range=0-1499'],
timeLimit: 30
}

[jsumners]

Is there some change in version 3.x which is stopping us from using this functionality

I think this is addressed in this thread and the v3 release notes. Have you reviewed them?

[Uiblar]

I am facing the same issue.
if yes what should be the new correct way to retrieve members of a group with more than 1500 members? Or is there some alternate way to retrieve this member list?

I'm quite new to ldapjs and i'm wondering the same. I was trying to read this thread and the v3 release notes, but maybe I'm just not advanced enough to understand a thing :-D

[jsumners]

range=<x>-<y> is not a valid attribute per the specification. I have asked for some documentation that defines the extension adding it as a valid attribute.

[Domenik-E]

I think it is important to say that there is a difference between LDAP and ActiveDirectory. LDAP is a standard application protocol, while ActiveDirectory is a proprietary product.

The current implementation seems to be totally right from a protocol perspective. I think the common problem is that the majority users of this library (me included) want to interact with an ActiveDirectory. This is were the problem comes up....

[jsumners]

Yes, that is correct, ActiveDirectory is not a standard LDAP server. The current approach taken by this project is to follow the published RFCs around LDAP as it gives us a source of truth to follow. However, we can update the attribute validator to allow the desired attribute. But we need some documentation to point to in order to make it acceptable.

Otherwise, I suggest investigating the paged search results as defined in RFC 2696. Or work to re-add VLV support as discussed in the v3 release notes.

[Domenik-E]

the technical specification from Microsoft can be found here (Protocol Revision 57.0):
3.1.1.3.1.3.3 Range Retrieval of Attribute Values

[jsumners]

Is there a web viewable version of that?

[Domenik-E]

Unfortunately no. There ist just a download page

[jsumners]

This is being worked on in ldapjs/messages#9

[jsumners]

This has been resolved via the linked issue. Please re-install your dependencies to get the latest @ldapjs/messages.