Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LSC synchro LDAP -> AD get LDAP: error code 11 - 00002024 (ADMIN_LIMIT_EXCEEDED) #256

Open
SchaffnerMi opened this issue Dec 8, 2023 · 3 comments
Open

LSC synchro LDAP -> AD get LDAP: error code 11 - 00002024 (ADMIN_LIMIT_EXCEEDED) #256

SchaffnerMi opened this issue Dec 8, 2023 · 3 comments
Labels
question

Comments

@SchaffnerMi
Copy link

SchaffnerMi commented Dec 8, 2023
edited
Loading

Hello,

I was wondering if anyone was experiencing this issue with large AD member groups.

Dec 08 09:46:31 - ERROR - Error while modifying entry CN=GG_VIE_student,ou=structures,ou=uds,ou=groups,dc=ad,dc=unistra,dc=fr in directory :javax.naming.LimitExceededException: [LDAP: error code 11 - 00002024: SvcErr: DSID-031A1217, problem 5008 (ADMIN_LIMIT_EXCEEDED), data 0

This group "GG_VIE" contains 2582 users.

In order to bypass this issue we tried several things:

1- Page Size:
1000 in lsc.xml

2- Paging:

 <dataset>
            <name>member</name>
            <policy>MERGE</policy>
            <forceValues>
                <string>
                    <![CDATA[rjs:
                    var membersSrcDn = srcBean.getDatasetValuesById("member"); //list des membre du groupe du ldap
                    if (typeof dstBean === 'undefined') { // Si le groupe existe, on récupère les membres
                        var membersInDstDn = [];
                    } else {
                        var membersInDstDn = dstBean.getDatasetValuesById("member").toArray(); //list des membre du groupe de l'AD
                    }

                    var membersDstDn = [];
                    var limit = 0; // Set pour une limite de 1000 ajouts maximaux
                    for  (var i=0; i<membersSrcDn.size(); i++) {
                        // récupération du compte comple
                        var memberSrcDn = membersSrcDn.get(i);
                        var uid = "";

                        try {
                            uid = srcLdap.attribute(memberSrcDn, "uid").get(0);
                        } catch(e) {
                            continue;
                        }

                        var destDn = ldap.search("ou=uds,ou=people", "(sAMAccountName=" + uid + ")");
                        if (destDn.size() == 0 || destDn.size() > 1) { // Si aucun résultat
                            continue;
                        } else {
                            destMemberDn = ldap.attribute(destDn, "distinguishedName")[0]
                        }

                        if (membersInDstDn.indexOf(destMemberDn) == -1){
                            membersDstDn.push(destMemberDn);
                            java.lang.System.out.println("destMemberDn");
                            java.lang.System.out.println(destMemberDn);

                            limit = limit + 1;
                            if (limit > 10){
                                break;
                            }
                        }
                    }

                    java.lang.System.out.println("membersInDstDn");
                    java.lang.System.out.println(membersInDstDn);

                    membersDstDn;

                ]]>
            </string>
        </forceValues>
    </dataset>

`

For this script, it only works with small groups. For large groups it returns no value

3- Multi valued attributes size limit (range):

function getRangeValues(attrName) {
    var newDataset = new Array();
    var rangeStart = null;
    var rangeEnd = null;
    var rangeSize = null;
    var arrayCounter = 0;
    var tmpDataset = srcBean.getDatasetValuesById(attrName).toArray();
    if (tmpDataset.length > 0) {
        rangeStart = 0
        rangeEnd = "*"
        rangeSize = 0
    } else {
        var attrList = srcBean.getDatasetsNames().toArray()
        if (attrList != null) {
            if (attrList.length > 0) {
                for (var i = 0; i < attrList.length; i++) {
                    if (attrList[i].toString().contains(attrName + ";range")) {
                        var startPos = null
                        var sepPos = null
                        startPos = attrList[i].toString().indexOf(";range=") + 7
                        sepPos = attrList[i].toString().indexOf("-", startPos)
                        rangeStart = attrList[i].toString().substring(startPos, sepPos)
                        rangeEnd = attrList[i].toString().substring(sepPos + 1)
                        rangeSize = Number(rangeEnd) - Number(rangeStart)
                        break
                    }
                }
            }
        }
    }
    if (rangeStart != null) {
        var tmpAttrName = "";
        while (rangeStart != "*") {
            if (rangeStart == "0" && rangeEnd != "*") {
                tmpAttrName = attrName + ";range=" + rangeStart.toString() + "-" + rangeEnd.toString()
                tmpDataset = srcBean.getDatasetValuesById(tmpAttrName).toArray()
            } else if (rangeStart != "0") {
                tmpAttrName = "member;range=" + rangeStart.toString() + "-" + rangeEnd.toString()
                tmpDataset = srcLdap.attribute(srcBean.getMainIdentifier(), tmpAttrName).toArray()
            }
            if (rangeEnd == "*") {
                rangeStart = "*"
            }
            if (tmpDataset != null) {
                if (tmpDataset.length > 0) {
                    for (var i = 0; i < tmpDataset.length; i++) {
                        // Add attribute value processing logic here;
                        // Be sure to explicitly type the array elements to prevent conversion to an object array;
                        newDataset[arrayCounter++] = String(tmpDataset[i])
                    }
                    if (rangeEnd != "*") {
                        rangeStart = Number(rangeEnd) + 1
                        rangeEnd = Number(rangeStart) + Number(rangeSize)
                    }
                } else {
                    rangeEnd = "*"
                }
            } else {
                rangeEnd = "*"
            }
        }
    }
    return newDataset;
}

This script coming from LSC documentation : https://lsc-project.org/documentation/latest/activedirectory.html

It doesn't seem to work, we haven't found why.

if anyone uses large groups in Acitve Directory with lsc we would be interested to know how they handle it with LSC

Thanks in advance for your help,

Michel
@soisik
Copy link
Contributor

soisik commented Dec 11, 2023

The error is sent by your active directory in response to the modify statement sent by LSC. This is not a LSC error, it looks like some security restrictions on the AD side on the service account that is used to access your AD.

@SchaffnerMi
Copy link
Author

SchaffnerMi commented Dec 12, 2023
edited
Loading

Hello,

I'm agree with you the error com from AD but I don't think it's a right issue (we have no problem with small groups).
The problem is that AD doesn't handle more than 1500 changes at one time for changing a multi-valued attribute.
The problem seam's to be adressed wtih the ticket #255.

We have found that adding a time limit under LDAP filters helps:
<interval>60</interval>

But with very large groups we still have the problem.

@coudot
Copy link
Member

coudot commented Jan 26, 2024

Hello,

it seems that we can't do anything on LSC side, it's a limit on Active Directory

This article explains it: https://learn.microsoft.com/fr-fr/archive/blogs/askds/administrative-limit-for-this-request-was-exceeded-error-from-active-directory

They do not really give a solution. A workaround can be to split into different groups.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@coudot @soisik @SchaffnerMi