search

lsc-project / lsc

LSC engine
http://lsc-project.org/wiki/documentation/latest/start
Other
108 stars 41 forks source link

LSC synchro LDAP -> AD get LDAP: error code 11 - 00002024 (ADMIN_LIMIT_EXCEEDED) #256

Open SchaffnerMi opened 9 months ago

SchaffnerMi commented 9 months ago

Hello,

I was wondering if anyone was experiencing this issue with large AD member groups.

Dec 08 09:46:31 - ERROR - Error while modifying entry CN=GG_VIE_student,ou=structures,ou=uds,ou=groups,dc=ad,dc=unistra,dc=fr in directory :javax.naming.LimitExceededException: [LDAP: error code 11 - 00002024: SvcErr: DSID-031A1217, problem 5008 (ADMIN_LIMIT_EXCEEDED), data 0

This group "GG_VIE" contains 2582 users.

In order to bypass this issue we tried several things:

1- Page Size:

1000 in lsc.xml 2- Paging: ```xml member MERGE 1) { // Si aucun résultat continue; } else { destMemberDn = ldap.attribute(destDn, "distinguishedName")[0] } if (membersInDstDn.indexOf(destMemberDn) == -1){ membersDstDn.push(destMemberDn); java.lang.System.out.println("destMemberDn"); java.lang.System.out.println(destMemberDn); limit = limit + 1; if (limit > 10){ break; } } } java.lang.System.out.println("membersInDstDn"); java.lang.System.out.println(membersInDstDn); membersDstDn; ]]> ` For this script, it only works with small groups. For large groups it returns no value 3- Multi valued attributes size limit (range): ````` function getRangeValues(attrName) { var newDataset = new Array(); var rangeStart = null; var rangeEnd = null; var rangeSize = null; var arrayCounter = 0; var tmpDataset = srcBean.getDatasetValuesById(attrName).toArray(); if (tmpDataset.length > 0) { rangeStart = 0 rangeEnd = "*" rangeSize = 0 } else { var attrList = srcBean.getDatasetsNames().toArray() if (attrList != null) { if (attrList.length > 0) { for (var i = 0; i < attrList.length; i++) { if (attrList[i].toString().contains(attrName + ";range")) { var startPos = null var sepPos = null startPos = attrList[i].toString().indexOf(";range=") + 7 sepPos = attrList[i].toString().indexOf("-", startPos) rangeStart = attrList[i].toString().substring(startPos, sepPos) rangeEnd = attrList[i].toString().substring(sepPos + 1) rangeSize = Number(rangeEnd) - Number(rangeStart) break } } } } } if (rangeStart != null) { var tmpAttrName = ""; while (rangeStart != "*") { if (rangeStart == "0" && rangeEnd != "*") { tmpAttrName = attrName + ";range=" + rangeStart.toString() + "-" + rangeEnd.toString() tmpDataset = srcBean.getDatasetValuesById(tmpAttrName).toArray() } else if (rangeStart != "0") { tmpAttrName = "member;range=" + rangeStart.toString() + "-" + rangeEnd.toString() tmpDataset = srcLdap.attribute(srcBean.getMainIdentifier(), tmpAttrName).toArray() } if (rangeEnd == "*") { rangeStart = "*" } if (tmpDataset != null) { if (tmpDataset.length > 0) { for (var i = 0; i < tmpDataset.length; i++) { // Add attribute value processing logic here; // Be sure to explicitly type the array elements to prevent conversion to an object array; newDataset[arrayCounter++] = String(tmpDataset[i]) } if (rangeEnd != "*") { rangeStart = Number(rangeEnd) + 1 rangeEnd = Number(rangeStart) + Number(rangeSize) } } else { rangeEnd = "*" } } else { rangeEnd = "*" } } } return newDataset; } ````` This script coming from LSC documentation : [https://lsc-project.org/documentation/latest/activedirectory.html](url) It doesn't seem to work, we haven't found why. if anyone uses large groups in Acitve Directory with lsc we would be interested to know how they handle it with LSC Thanks in advance for your help, Michel
soisik commented 9 months ago

The error is sent by your active directory in response to the modify statement sent by LSC. This is not a LSC error, it looks like some security restrictions on the AD side on the service account that is used to access your AD.

SchaffnerMi commented 9 months ago

Hello,

I'm agree with you the error com from AD but I don't think it's a right issue (we have no problem with small groups). The problem is that AD doesn't handle more than 1500 changes at one time for changing a multi-valued attribute. The problem seam's to be adressed wtih the ticket #255.

We have found that adding a time limit under LDAP filters helps: <interval>60</interval>

But with very large groups we still have the problem.

coudot commented 8 months ago

Hello,

it seems that we can't do anything on LSC side, it's a limit on Active Directory

This article explains it: https://learn.microsoft.com/fr-fr/archive/blogs/askds/administrative-limit-for-this-request-was-exceeded-error-from-active-directory

They do not really give a solution. A workaround can be to split into different groups.