CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We've already had our first sign-ups!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 6/9, 7/14, 8/25, 10/6, 11/3, 12/8.
3. We have new forums in Portuguese and German (see below).
4. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
5. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Interoperability
Reload this Page 1500 user limit on LDAP
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2008-02-06
baccord35 baccord35 is offline
Junior Member
  
Join Date: 2007-07-11
Posts: 5
baccord35 has an average reputation (10+)
Default 1500 user limit on LDAP
Query re. Smart Directory - AD integration... working system with AU and LDAP group defined correctly BUT if the AD 'container' (CN=test-users) contains >1500 users it comes up empty and users rejected... with 1499 is fine! Any ideas why?
Reply With Quote
  #2 (permalink)  
Old 2008-02-06
chillyjim chillyjim is offline
Senior Member
  
Join Date: 2005-08-29
Location: Upstate NY
Posts: 1,463
chillyjim has an average reputation (10+)
Send a message via AIM to chillyjim Send a message via Skype™ to chillyjim
Default Re: 1500 user limit on LDAP
It is because by default a single AD query can only return 1500 entries (including the base entry).
There is an AD mod to adjust this.
Reply With Quote
  #3 (permalink)  
Old 2008-02-07
baccord35 baccord35 is offline
Junior Member
  
Join Date: 2007-07-11
Posts: 5
baccord35 has an average reputation (10+)
Default Re: 1500 user limit on LDAP
"LDAP directory servers can impose a limit on the size of results that are allowed to be returned from a query. The AD LDAP implementation has a default limit of 1500 users. Importing an LDAP directory with more users than the imposed limit will cause the import to fail. To increase the number of results returned by a query amend the "MaxPageSize" value within the ldap policy on the directory server to a value >1500 to allow a greater number of users to be imported at once."
Thanks. (this was news to our AD administrator.....)
Reply With Quote
  #4 (permalink)  
Old 2008-02-07
chillyjim chillyjim is offline
Senior Member
  
Join Date: 2005-08-29
Location: Upstate NY
Posts: 1,463
chillyjim has an average reputation (10+)
Send a message via AIM to chillyjim Send a message via Skype™ to chillyjim
Default Re: 1500 user limit on LDAP
Quote:
Originally Posted by baccord35 View Post
(this was news to our AD administrator.....)
He shouldn't feel bad, its news to a lot of folks. Not something you run into everyday
Reply With Quote
  #5 (permalink)  
Old 2008-02-14
baccord35 baccord35 is offline
Junior Member
  
Join Date: 2007-07-11
Posts: 5
baccord35 has an average reputation (10+)
Default Re: 1500 user limit on LDAP
Our AD guys (WinSrv2003) are disputing Checkpoint's own explanation;
there are limits on server resources available to clients equesting LDAP queries, query policy is stored as a multivalue attribute (LDAPAdminLimits) configurable at server level; the default MaxValRange is (funnily enough) = 1500 whereas if the MaxPageSize (default value = 1000 NOT 1500) is the issue then the client can/should ask for paged results, which are supported by AD default query policy. They don't want to dramatically increase the MaxValRange suggesting CP use paged results, we suspect CP doesn't do paged results, we have tried to confirm with CP but having initially given us a confident answer now they are not talking to us...maybe trying to remember how their product works?
Anyone else have experience in this specialised area?
Reply With Quote
  #6 (permalink)  
Old 2008-02-14
chillyjim chillyjim is offline
Senior Member
  
Join Date: 2005-08-29
Location: Upstate NY
Posts: 1,463
chillyjim has an average reputation (10+)
Send a message via AIM to chillyjim Send a message via Skype™ to chillyjim
Default Re: 1500 user limit on LDAP
You are not going to get an answer like that out of normal support channels. Your Check Point SE may be able to help, but with a valid solution that came from MS, I really doubt you will get a code change.
Reply With Quote
  #7 (permalink)  
Old 2008-02-15
baccord35 baccord35 is offline
Junior Member
  
Join Date: 2007-07-11
Posts: 5
baccord35 has an average reputation (10+)
Default Re: 1500 user limit on LDAP
we had exactly that conversation , so we're testing scripts to break down the too-large group into multiple smaller ones, re-define an AU to point only to 1 branch, tick option to allow all users in the branch rather than use an individual ldap group (would now need multiple such groups). which is all do-able but a bit of a pain...
Reply With Quote
Reply

« Previous Thread | Next Thread »


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 05:35.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0