• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 793
  • Last Modified:

LDAP: Sizelimit Exceeded Error

I am trying to setup a login that will utilize our network's Active Directory to validate users.  We are using Coldfusion MX, Exchange 2003 and Windows 2000 Server. Unfortunately, I can't seem to get my LDAP query to work.  The error I keep receiving is:

CFLDAP

Sizelimit Exceeded

Below is the code I'm using:

<CFLDAP
ACTION="query"
NAME="Results"
START="cn=users, dc=serverName1, dc=serverName2, dc=serverDomain"
SCOPE="subtree"
ATTRIBUTES="cn, o, st, c, sn"
SERVER="myServer"
PORT="389"
SORT="asc"
USERNAME="myUsername"
PASSWORD="myPassword"
>

Any ideas as to what the problem could be?  I suspect it's not with my code but I don't know what else it could be.  Any help would be greatly appreciated.

Thanks,
--Anne
0
Goddess6942
Asked:
Goddess6942
  • 13
  • 10
  • 3
  • +1
1 Solution
 
tim_csCommented:
0
 
Tacobell777Commented:
Hi,

You are saying you are using cfldap to authenticate users, I'm just wondering where you get the username from to authenticate them?
If you get this by disabling anonymous access and have "Integrated Windows Authentication" ticked, then you should read:
http://www.tacofleur.com/index/blog/archive/2004/02/?022043

Basically there is no need to authenticate the user against LDAP, this is already done for you in the background.
0
 
Goddess6942Author Commented:
That is of course assuming I only want domain users to access secured portions of the web site which isn't the case.  I need to be able to authenticate individuals who may be using their home computers or off site machines as well.

--Anne
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
Goddess6942Author Commented:
That actually brings up another question; some of the research I have done has led me to believe that if I want to create a login that utilizes our Active Directory I should create an LDAP query and authenticate against it.  Is that correct?  When I was using version 5, I of course used Advanced Security with Siteminder services to do this and since MX no longer uses Siteminder services this is all completely new to me.

Thanks,
--Anne
0
 
mrichmonCommented:
There is a need to use LDAP to authenticate a user if thier login name doesn't necessarily match their username - or if you have users in mixed operating system environments.

For example, we have users that may log in from home machines, like Anne, and in that case they may all have the same username (Administrator).  Also we have another authentication system that authenticates a huge pool of users and we only want to authorize a subset into our application.  We cannot control who gets authenticated so we look them up in LDAP to determine whether they should be authorizzed to access our applications.
0
 
Goddess6942Author Commented:
Thanks, mrichmon.  Glad to know I'm on the right track.

--Anne
0
 
Tacobell777Commented:
All I'm saying is that CFLDAP is not made to do authentication, but to retrieve information from the directory.
0
 
Goddess6942Author Commented:
Are there any alternatives to performing athentication against Active Directory aside from using LDAP?  From what I've seen, this seems to be the only practical way.

--Anne
0
 
mrichmonCommented:
TacoBell's integrated windows login should allow this.

Then you would just have to require that when users connected from home they need to join the domain either through a VPN or by joining the machine to the domain (if you allow that).
0
 
Goddess6942Author Commented:
Considering the kinds of users we have, it may be best not to make them think any more than they have to.

--Anne
0
 
Tacobell777Commented:
What does that last statement mean?
Using integrated authentication should not make them think at all, unless they are not in the domain...
0
 
Goddess6942Author Commented:
But I do have users that will not be in the doman, those are the ones I speak of.
0
 
mrichmonCommented:
That is where using VPN or forcing them to join the domain comes in...
0
 
Goddess6942Author Commented:
What is VPN?  I don't think I've heard of it and if I have it's been awhile.
0
 
mrichmonCommented:
VPN is Virtual Private Network.  It allows you to create a sort of tunnel so that a machine looks like it is a machine on your network instead of looking like a foriegn machine such as a home machine.
0
 
Goddess6942Author Commented:
That sounds like it would take a lot more effort on the part of the user in the beginning as opposed to just simply entering their username and password.
0
 
mrichmonCommented:
Well it takes a whole lot more effort to set up, but once you have it set up for them it is just a matter of clicking an icon on their computer to run the VPN.
0
 
Goddess6942Author Commented:
I think for our purposes that may be a bit too impractical.
0
 
mrichmonCommented:
Possibly - it was just a suggestion :o)
0
 
Goddess6942Author Commented:
I definitely welcome suggestions :)  I have a question about the LDAP route, however. You mentioned that you have some applications where you look individuals up in the LDAP to check if they should be authorized. When you do that, I'm assuming you just check their username and make sure there is a match.  How do you handle ensuring the password is correct.
0
 
mrichmonCommented:
I don't use LDAP for that - at least not currently.  Remember that I also mentioned that we have a separate system that does the authentication (authentication being username/password is correct vs authorization what you have access to depending on your permissions etc).

So for example, the authentication says that your username and password match so I know you are who you say you are (this right now is not done with LDAP since the password is not stored in LDAP - this is where our separate authentication comes into play).

At this point I know you are who you say you are - but I don't know who that is (does this make sense?)

My authorization takes your username that you provided when you authenticated and then uses LDAP to look up information about that username.  So if my username was lkjsfasf3536 I can look that up LDAP and see that you are John Smith of the XXXX department and whatever other info I have stored in the LDAP record.

It is possible that John Smith doesn't have access to the application he is trying to get to (i.e. not authorized), but he is authenticated and may have access (authorization) to a different application.

So the authentication and authorization are two separate things in this case....

In fact the username/password for the authentication is in a completely separate place.

Does that help at all?
0
 
Goddess6942Author Commented:
Yes, that does help.  With that being the case, is there anyway to set up a system that checks either Active Directory or the domain to make sure that a submitted network username and password are correct?
0
 
mrichmonCommented:
That I am not sure of
0
 
Goddess6942Author Commented:
Well tim_cs answered my initial question with the LDAP issue and that is now working great.  However, I've decided to not use LDAP to do what I was initially planning because I found a wonderful custom tag called CFX_Users. It does everything and more that I needed. So I'm now totally set.  Thank you all for your help.

--Anne
0
 
mrichmonCommented:
No problem.  I thought the points should go to tim too since he did answer the question and the rest was us just commenting on a tangent.  :o)
0
 
Goddess6942Author Commented:
Yeah, I debated a bit about whether or not to split the points but figured it would only be fair to give them to the person who answered the initial question.  Although, now that I think about it, I probably should have given you a few for prompting me to find CFX_users.

--Anne
0
 
mrichmonCommented:
Not a problem - I'm not here for the points, but to help others.

But just so you know if you do ever feel like someone deserves points there is the "Points For" option as described here:
http://www.experts-exchange.com/Web/WebDevSoftware/ColdFusion/help.jsp#hi76

(since some people ARE only helping for the points)
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 13
  • 10
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now