LDAPImport size limit woes

Hello again!

I have the LDAPImport extension working. Our LDAP server uses an
aggressive size limit and I have a kludge in place to deal with it.

But today I noticed that LDAPImport has an LDAPSizeLimit parameter.
However, when I turn it on like this:

Set($LDAPSizeLimit, 100);

I get the following error:

[Wed Jul 10 09:10:42 2013] [error]: LDAP search failed Critical
extension not available
(/usr/lib/perl5/vendor_perl/5.16.2/RT/Extension/LDAPImport.pm:1237)
LDAP search failed Critical extension not available

when I run /usr/bin/rtldapimport

Could it be that the value of LDAPSizeLimit that I set in
RT_SiteConfig.pm must match the server’s actual limit exactly? (I was
assuming it just had to be <= the server’s actual limit.)

Thanks in advance,
Nathan

[Wed Jul 10 09:10:42 2013] [error]: LDAP search failed Critical
extension not available
(/usr/lib/perl5/vendor_perl/5.16.2/RT/Extension/LDAPImport.pm:1237)
LDAP search failed Critical extension not available

This is an error from your LDAP server saying that it doesn’t support
paged results (i.e. the first 100, the second 100, etc).

What LDAP server are you running? The paging extension is common in
most servers using the v3 LDAP spec.

Could it be that the value of LDAPSizeLimit that I set in
RT_SiteConfig.pm must match the server’s actual limit exactly? (I was
assuming it just had to be <= the server’s actual limit.)

No, you assumed correctly. It just must be <= the actual limit.

This is an error from your LDAP server saying that it doesn’t support
paged results (i.e. the first 100, the second 100, etc).

Thanks, Thomas. That makes perfect sense, now that you’ve said it :slight_smile:

What LDAP server are you running?

I don’t know. It (the server) is not under my control, so I’ll just
have to stick with kludge I’ve been using until now.

By the way, do I understand the docs correctly that the LDAPImport
extension has no way of defining a chain of several LDAP servers,
similar to what the RT::Authen::ExternalAuth does?

Nathan

What LDAP server are you running?

I don’t know. It (the server) is not under my control, so I’ll just
have to stick with kludge I’ve been using until now.

You might contact the admins of the server and ask if they can enable
the paging extension or something. It’s strange that it’s not
supported; it’s been around for ages.

By the way, do I understand the docs correctly that the LDAPImport
extension has no way of defining a chain of several LDAP servers,
similar to what the RT::Authen::ExternalAuth does?

Correct. You can work around this by using tricks like invoking
rtldapimport with an environment variable that you then check with code
in RT_SiteConfig.pm to dynamically determine which LDAP config to use.

Then you invoke rtldapimport one time from cron for each value of the
environment flag.

You might contact the admins of the server and ask if they can enable
the paging extension or something. It’s strange that it’s not
supported; it’s been around for ages.

Thomas: OK, I will ask them. Is this the one:

http://www.rfc-editor.org/rfc/rfc2696.txt

?

Nathan

You might contact the admins of the server and ask if they can enable
the paging extension or something. It’s strange that it’s not
supported; it’s been around for ages.

Thomas: OK, I will ask them. Is this the one:

http://www.rfc-editor.org/rfc/rfc2696.txt

?

Yep, that’s the RFC for it. I like to use the “html” version which has
slightly nicer formatting: RFC 2696: LDAP Control Extension for Simple Paged Results Manipulation