Solved

LDAP: Sizelimit Exceeded Error

Posted on 2004-04-27
27
753 Views
Last Modified: 2013-12-24
I am trying to setup a login that will utilize our network's Active Directory to validate users.  We are using Coldfusion MX, Exchange 2003 and Windows 2000 Server. Unfortunately, I can't seem to get my LDAP query to work.  The error I keep receiving is:

CFLDAP

Sizelimit Exceeded

Below is the code I'm using:

<CFLDAP
ACTION="query"
NAME="Results"
START="cn=users, dc=serverName1, dc=serverName2, dc=serverDomain"
SCOPE="subtree"
ATTRIBUTES="cn, o, st, c, sn"
SERVER="myServer"
PORT="389"
SORT="asc"
USERNAME="myUsername"
PASSWORD="myPassword"
>

Any ideas as to what the problem could be?  I suspect it's not with my code but I don't know what else it could be.  Any help would be greatly appreciated.

Thanks,
--Anne
0
Comment
Question by:Goddess6942
  • 13
  • 10
  • 3
  • +1
27 Comments
 
LVL 15

Accepted Solution

by:
tim_cs earned 500 total points
Comment Utility
0
 
LVL 17

Expert Comment

by:Tacobell777
Comment Utility
Hi,

You are saying you are using cfldap to authenticate users, I'm just wondering where you get the username from to authenticate them?
If you get this by disabling anonymous access and have "Integrated Windows Authentication" ticked, then you should read:
http://www.tacofleur.com/index/blog/archive/2004/02/?022043

Basically there is no need to authenticate the user against LDAP, this is already done for you in the background.
0
 

Author Comment

by:Goddess6942
Comment Utility
That is of course assuming I only want domain users to access secured portions of the web site which isn't the case.  I need to be able to authenticate individuals who may be using their home computers or off site machines as well.

--Anne
0
 

Author Comment

by:Goddess6942
Comment Utility
That actually brings up another question; some of the research I have done has led me to believe that if I want to create a login that utilizes our Active Directory I should create an LDAP query and authenticate against it.  Is that correct?  When I was using version 5, I of course used Advanced Security with Siteminder services to do this and since MX no longer uses Siteminder services this is all completely new to me.

Thanks,
--Anne
0
 
LVL 35

Expert Comment

by:mrichmon
Comment Utility
There is a need to use LDAP to authenticate a user if thier login name doesn't necessarily match their username - or if you have users in mixed operating system environments.

For example, we have users that may log in from home machines, like Anne, and in that case they may all have the same username (Administrator).  Also we have another authentication system that authenticates a huge pool of users and we only want to authorize a subset into our application.  We cannot control who gets authenticated so we look them up in LDAP to determine whether they should be authorizzed to access our applications.
0
 

Author Comment

by:Goddess6942
Comment Utility
Thanks, mrichmon.  Glad to know I'm on the right track.

--Anne
0
 
LVL 17

Expert Comment

by:Tacobell777
Comment Utility
All I'm saying is that CFLDAP is not made to do authentication, but to retrieve information from the directory.
0
 

Author Comment

by:Goddess6942
Comment Utility
Are there any alternatives to performing athentication against Active Directory aside from using LDAP?  From what I've seen, this seems to be the only practical way.

--Anne
0
 
LVL 35

Expert Comment

by:mrichmon
Comment Utility
TacoBell's integrated windows login should allow this.

Then you would just have to require that when users connected from home they need to join the domain either through a VPN or by joining the machine to the domain (if you allow that).
0
 

Author Comment

by:Goddess6942
Comment Utility
Considering the kinds of users we have, it may be best not to make them think any more than they have to.

--Anne
0
 
LVL 17

Expert Comment

by:Tacobell777
Comment Utility
What does that last statement mean?
Using integrated authentication should not make them think at all, unless they are not in the domain...
0
 

Author Comment

by:Goddess6942
Comment Utility
But I do have users that will not be in the doman, those are the ones I speak of.
0
 
LVL 35

Expert Comment

by:mrichmon
Comment Utility
That is where using VPN or forcing them to join the domain comes in...
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 

Author Comment

by:Goddess6942
Comment Utility
What is VPN?  I don't think I've heard of it and if I have it's been awhile.
0
 
LVL 35

Expert Comment

by:mrichmon
Comment Utility
VPN is Virtual Private Network.  It allows you to create a sort of tunnel so that a machine looks like it is a machine on your network instead of looking like a foriegn machine such as a home machine.
0
 

Author Comment

by:Goddess6942
Comment Utility
That sounds like it would take a lot more effort on the part of the user in the beginning as opposed to just simply entering their username and password.
0
 
LVL 35

Expert Comment

by:mrichmon
Comment Utility
Well it takes a whole lot more effort to set up, but once you have it set up for them it is just a matter of clicking an icon on their computer to run the VPN.
0
 

Author Comment

by:Goddess6942
Comment Utility
I think for our purposes that may be a bit too impractical.
0
 
LVL 35

Expert Comment

by:mrichmon
Comment Utility
Possibly - it was just a suggestion :o)
0
 

Author Comment

by:Goddess6942
Comment Utility
I definitely welcome suggestions :)  I have a question about the LDAP route, however. You mentioned that you have some applications where you look individuals up in the LDAP to check if they should be authorized. When you do that, I'm assuming you just check their username and make sure there is a match.  How do you handle ensuring the password is correct.
0
 
LVL 35

Expert Comment

by:mrichmon
Comment Utility
I don't use LDAP for that - at least not currently.  Remember that I also mentioned that we have a separate system that does the authentication (authentication being username/password is correct vs authorization what you have access to depending on your permissions etc).

So for example, the authentication says that your username and password match so I know you are who you say you are (this right now is not done with LDAP since the password is not stored in LDAP - this is where our separate authentication comes into play).

At this point I know you are who you say you are - but I don't know who that is (does this make sense?)

My authorization takes your username that you provided when you authenticated and then uses LDAP to look up information about that username.  So if my username was lkjsfasf3536 I can look that up LDAP and see that you are John Smith of the XXXX department and whatever other info I have stored in the LDAP record.

It is possible that John Smith doesn't have access to the application he is trying to get to (i.e. not authorized), but he is authenticated and may have access (authorization) to a different application.

So the authentication and authorization are two separate things in this case....

In fact the username/password for the authentication is in a completely separate place.

Does that help at all?
0
 

Author Comment

by:Goddess6942
Comment Utility
Yes, that does help.  With that being the case, is there anyway to set up a system that checks either Active Directory or the domain to make sure that a submitted network username and password are correct?
0
 
LVL 35

Expert Comment

by:mrichmon
Comment Utility
That I am not sure of
0
 

Author Comment

by:Goddess6942
Comment Utility
Well tim_cs answered my initial question with the LDAP issue and that is now working great.  However, I've decided to not use LDAP to do what I was initially planning because I found a wonderful custom tag called CFX_Users. It does everything and more that I needed. So I'm now totally set.  Thank you all for your help.

--Anne
0
 
LVL 35

Expert Comment

by:mrichmon
Comment Utility
No problem.  I thought the points should go to tim too since he did answer the question and the rest was us just commenting on a tangent.  :o)
0
 

Author Comment

by:Goddess6942
Comment Utility
Yeah, I debated a bit about whether or not to split the points but figured it would only be fair to give them to the person who answered the initial question.  Although, now that I think about it, I probably should have given you a few for prompting me to find CFX_users.

--Anne
0
 
LVL 35

Expert Comment

by:mrichmon
Comment Utility
Not a problem - I'm not here for the points, but to help others.

But just so you know if you do ever feel like someone deserves points there is the "Points For" option as described here:
http://www.experts-exchange.com/Web/WebDevSoftware/ColdFusion/help.jsp#hi76

(since some people ARE only helping for the points)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In our day to day coding, how many times have we come across a necessity to check whether a URL is a broken link or not? For those of you that answered countless and are using ColdFusion like myself, then this article is for you.  It will show yo…
Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now