Solved

LDAP: Sizelimit Exceeded Error

Posted on 2004-04-27
27
764 Views
Last Modified: 2013-12-24
I am trying to setup a login that will utilize our network's Active Directory to validate users.  We are using Coldfusion MX, Exchange 2003 and Windows 2000 Server. Unfortunately, I can't seem to get my LDAP query to work.  The error I keep receiving is:

CFLDAP

Sizelimit Exceeded

Below is the code I'm using:

<CFLDAP
ACTION="query"
NAME="Results"
START="cn=users, dc=serverName1, dc=serverName2, dc=serverDomain"
SCOPE="subtree"
ATTRIBUTES="cn, o, st, c, sn"
SERVER="myServer"
PORT="389"
SORT="asc"
USERNAME="myUsername"
PASSWORD="myPassword"
>

Any ideas as to what the problem could be?  I suspect it's not with my code but I don't know what else it could be.  Any help would be greatly appreciated.

Thanks,
--Anne
0
Comment
Question by:Goddess6942
  • 13
  • 10
  • 3
  • +1
27 Comments
 
LVL 15

Accepted Solution

by:
tim_cs earned 500 total points
ID: 10931707
0
 
LVL 17

Expert Comment

by:Tacobell777
ID: 10935555
Hi,

You are saying you are using cfldap to authenticate users, I'm just wondering where you get the username from to authenticate them?
If you get this by disabling anonymous access and have "Integrated Windows Authentication" ticked, then you should read:
http://www.tacofleur.com/index/blog/archive/2004/02/?022043

Basically there is no need to authenticate the user against LDAP, this is already done for you in the background.
0
 

Author Comment

by:Goddess6942
ID: 10938181
That is of course assuming I only want domain users to access secured portions of the web site which isn't the case.  I need to be able to authenticate individuals who may be using their home computers or off site machines as well.

--Anne
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:Goddess6942
ID: 10938593
That actually brings up another question; some of the research I have done has led me to believe that if I want to create a login that utilizes our Active Directory I should create an LDAP query and authenticate against it.  Is that correct?  When I was using version 5, I of course used Advanced Security with Siteminder services to do this and since MX no longer uses Siteminder services this is all completely new to me.

Thanks,
--Anne
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 10940125
There is a need to use LDAP to authenticate a user if thier login name doesn't necessarily match their username - or if you have users in mixed operating system environments.

For example, we have users that may log in from home machines, like Anne, and in that case they may all have the same username (Administrator).  Also we have another authentication system that authenticates a huge pool of users and we only want to authorize a subset into our application.  We cannot control who gets authenticated so we look them up in LDAP to determine whether they should be authorizzed to access our applications.
0
 

Author Comment

by:Goddess6942
ID: 10940214
Thanks, mrichmon.  Glad to know I'm on the right track.

--Anne
0
 
LVL 17

Expert Comment

by:Tacobell777
ID: 10943440
All I'm saying is that CFLDAP is not made to do authentication, but to retrieve information from the directory.
0
 

Author Comment

by:Goddess6942
ID: 10943538
Are there any alternatives to performing athentication against Active Directory aside from using LDAP?  From what I've seen, this seems to be the only practical way.

--Anne
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 10943633
TacoBell's integrated windows login should allow this.

Then you would just have to require that when users connected from home they need to join the domain either through a VPN or by joining the machine to the domain (if you allow that).
0
 

Author Comment

by:Goddess6942
ID: 10943648
Considering the kinds of users we have, it may be best not to make them think any more than they have to.

--Anne
0
 
LVL 17

Expert Comment

by:Tacobell777
ID: 10946618
What does that last statement mean?
Using integrated authentication should not make them think at all, unless they are not in the domain...
0
 

Author Comment

by:Goddess6942
ID: 10948677
But I do have users that will not be in the doman, those are the ones I speak of.
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 10950445
That is where using VPN or forcing them to join the domain comes in...
0
 

Author Comment

by:Goddess6942
ID: 10950674
What is VPN?  I don't think I've heard of it and if I have it's been awhile.
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 10950715
VPN is Virtual Private Network.  It allows you to create a sort of tunnel so that a machine looks like it is a machine on your network instead of looking like a foriegn machine such as a home machine.
0
 

Author Comment

by:Goddess6942
ID: 10950801
That sounds like it would take a lot more effort on the part of the user in the beginning as opposed to just simply entering their username and password.
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 10950842
Well it takes a whole lot more effort to set up, but once you have it set up for them it is just a matter of clicking an icon on their computer to run the VPN.
0
 

Author Comment

by:Goddess6942
ID: 10950951
I think for our purposes that may be a bit too impractical.
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 10950974
Possibly - it was just a suggestion :o)
0
 

Author Comment

by:Goddess6942
ID: 10951057
I definitely welcome suggestions :)  I have a question about the LDAP route, however. You mentioned that you have some applications where you look individuals up in the LDAP to check if they should be authorized. When you do that, I'm assuming you just check their username and make sure there is a match.  How do you handle ensuring the password is correct.
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 10951134
I don't use LDAP for that - at least not currently.  Remember that I also mentioned that we have a separate system that does the authentication (authentication being username/password is correct vs authorization what you have access to depending on your permissions etc).

So for example, the authentication says that your username and password match so I know you are who you say you are (this right now is not done with LDAP since the password is not stored in LDAP - this is where our separate authentication comes into play).

At this point I know you are who you say you are - but I don't know who that is (does this make sense?)

My authorization takes your username that you provided when you authenticated and then uses LDAP to look up information about that username.  So if my username was lkjsfasf3536 I can look that up LDAP and see that you are John Smith of the XXXX department and whatever other info I have stored in the LDAP record.

It is possible that John Smith doesn't have access to the application he is trying to get to (i.e. not authorized), but he is authenticated and may have access (authorization) to a different application.

So the authentication and authorization are two separate things in this case....

In fact the username/password for the authentication is in a completely separate place.

Does that help at all?
0
 

Author Comment

by:Goddess6942
ID: 10951187
Yes, that does help.  With that being the case, is there anyway to set up a system that checks either Active Directory or the domain to make sure that a submitted network username and password are correct?
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 10951227
That I am not sure of
0
 

Author Comment

by:Goddess6942
ID: 10954511
Well tim_cs answered my initial question with the LDAP issue and that is now working great.  However, I've decided to not use LDAP to do what I was initially planning because I found a wonderful custom tag called CFX_Users. It does everything and more that I needed. So I'm now totally set.  Thank you all for your help.

--Anne
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 10954521
No problem.  I thought the points should go to tim too since he did answer the question and the rest was us just commenting on a tangent.  :o)
0
 

Author Comment

by:Goddess6942
ID: 10954548
Yeah, I debated a bit about whether or not to split the points but figured it would only be fair to give them to the person who answered the initial question.  Although, now that I think about it, I probably should have given you a few for prompting me to find CFX_users.

--Anne
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 10954573
Not a problem - I'm not here for the points, but to help others.

But just so you know if you do ever feel like someone deserves points there is the "Points For" option as described here:
http://www.experts-exchange.com/Web/WebDevSoftware/ColdFusion/help.jsp#hi76

(since some people ARE only helping for the points)
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
A web service (http://en.wikipedia.org/wiki/Web_service) is a software related technology that facilitates machine-to-machine interaction over a network. This article helps beginners in creating and consuming a web service using the ColdFusion Ma…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question