<blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><div><br></div></blockquote>As you probably just read, Microsoft say that if I query for the "member" attribute in the case of a group with a large membership, say 9000, the domain controller (DC) will send me back two attributes: an empty "member" attribute and a 1500 item attribute named "member;range=0-1499". Apparently, that's how we're to know we need to use the range retrieval technique. Next query would be for member;range=1500-* and they send back that one empty but with a new one named member;range=1500-2999. Indicating need for yet another round.<div>
<br></div><div>Well, I did this in a python interactive session:</div><div><br></div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><div><div><font class="Apple-style-span" face="'courier new', monospace">>>> import active_directory as ad</font></div>
</div><div><div><font class="Apple-style-span" face="'courier new', monospace">>>> gau = ad.find_group('google apps users')</font></div><div><font class="Apple-style-span" face="'courier new', monospace">>>> len(gau.member)</font></div>
<div><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">1500</span></div><div><font class="Apple-style-span" face="'courier new', monospace">>>> for p in gau.properties:</font></div>
</div><div><div><font class="Apple-style-span" face="'courier new', monospace">... print p</font></div><div><font class="Apple-style-span" face="'courier new', monospace"><br></font></div></div></blockquote>
<div><div>The resulting list of property names contained "member", but nothing like "member;range=0-1499." And "member" has 1500 items.</div><div><br></div><div>I did it in perl (needing *many* more lines :-) ) using the Net::LDAP modules and got back an empty "member" attribute and a 1500 value member;range=0-1499" attribute. So I expect AD is sending what MS says it is.</div>
<div><br></div><div>Do you suppose something in pywin32 is munging the attributes names?</div><div><br></div><div>Thanks,</div><div>Mike</div><div><br></div><br><div class="gmail_quote">On Thu, Mar 11, 2010 at 9:59 AM, Tim Golden <span dir="ltr"><<a href="mailto:mail@timgolden.me.uk">mail@timgolden.me.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">On 11/03/2010 14:51, Mike Diehn wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks, Tim.<br>
<br>
I've just subscribed to the python-win32 mailing list and I'll copy this<br>
post to it.<br>
<br>
So, my task, in this instance is to retrieve the membership list of a 1650<br>
member AD security group. That means the group has a 1650 item multi-value<br>
attribute. It's refusing to send more than 1500, of course. Since this<br>
isn't about objects, page_size and size_limit don't *appear* to help.<br>
Instead, last night I was working on a technique called "range retrieval."<br>
</blockquote>
<br></div>
Ah, sorry. I didn't read closely enough. Range retrieval is a pain because<br>
you *have* to be retrieving at least as many items as you're requesting,<br>
so you can't just say "give me 1-20,000", knowing that it'll work every time.<br>
<br>
I've been struggling to find a clean way to include this in my slightly<br>
improved AD interface, but haven't found one yet :(. I must confess I<br>
didn't realise it would actually cap the retrieval if you didn't include<br>
a range. I don't think any of our groups have as many as 1500 members.<br>
<br>
Didn't know about that -* trick on the last loop, either. You live and learn.<br>
<br>
TJG<br>
_______________________________________________<br>
python-win32 mailing list<br>
<a href="mailto:python-win32@python.org" target="_blank">python-win32@python.org</a><br>
<a href="http://mail.python.org/mailman/listinfo/python-win32" target="_blank">http://mail.python.org/mailman/listinfo/python-win32</a><div><div></div><div class="h5"><br>
<br>
______________________________________________________________________<br>
This email has been scanned by the MessageLabs Email Security System.<br>
For more information please visit <a href="http://www.messagelabs.com/email" target="_blank">http://www.messagelabs.com/email</a> ______________________________________________________________________<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Mike Diehn<br>Senior Systems Administrator<br>ANSYS, Inc - Lebanon, NH Office<br><a href="mailto:mike.diehn@ansys.com">mike.diehn@ansys.com</a>, (603) 727-5492<br>
</div>