E1 LDAP MaxPageSize and R9200040

gzjohn

gzjohn

Member
hi CNC,

We are using LDAP with E1, running R9200040 on almost a daily basis to synchronize with MSAD. We recently hit what appears to be the MaxPageSize setting of 1000 users. We have asked our AD admin group to bump up that setting which they refused to do, suggesting detrimental impact to our corporate environment (very large company), such as DOS attacks. They are saying that Oracle should support "Simple paged results" as supported by LDAPv3 specifications to overcome this limit.

We also opened a call with Oracle about this limit, and they said their R9200040 UBE is working as designed and they are not willing to change it. We've even escalated the call to our account manager with no avail. Their reason is that R9200040 should only run once for go-live, and is not designed to run on a regular basis. Therefore, they see no reason why we cannot simply bump up our MaxPageSize setting temporarily, run that UBE once, and be done. Support finally ended the call by sending us the standard Security Administration Guide and suggesting we post to jdelist because they could not answer our question as to what other large companies using E1 on LDAP does?!

We currently provisioned a standalone domain server with that MaxPageSize setting bumped to 2500 up so we can replicate using R9200040. Our production security servers still use the domain farm to authenticate. Also important to note that we do not maintain roles (authorization) using LDAP, simply authentication.

Question for everyone:
1. If you hit the 1000 user limit, what have you done to work around it?
2. If you simply bump up the MaxPageSize setting, have you experienced detrimental network impact?
3. Do you run R9200040 on a regular basis, and if not then how do you maintain synchronization with AD for new users and terminated accounts.
4. Any other workarounds you are using or aware of, such as perhaps third party tools.

Thanks everyone for your assistance.

John

Versions: 8.12, tech foundation 8.98.4 on Linux 5.5, MSAD
 
John,

1. Standalone AD server, just as you are doing.
2. No impact measured.
3. Only when managing roles in AD do you need to run R9200040 regularly
4. OID or OIM, but haven't tried them.

-Ethan
 
I had this exact same problem. I am not entirely sure why our AD admin would not leave the MaxPageSize opened up. Even if you were doing groups


Question for everyone:
1. If you hit the 1000 user limit, what have you done to work around it? increased the MaxPageSize, there is no other way around it to my knowledge

2. If you simply bump up the MaxPageSize setting, have you experienced detrimental network impact? No, but we only left it open for a short time over the weekend

3. Do you run R9200040 on a regular basis, and if not then how do you maintain synchronization with AD for new users and terminated accounts. The synch is really only beneficial if your users and groups experienced ongoing issues at login. The synch does essentially what happens when you login - synchs F0092, F00921, F98OWSEC, F00926, etc. So if E1 and AD have communicated normally over any given period of time, you should not have to run the synch. I only run it went a major golive is about to happen.

4. Any other workarounds you are using or aware of, such as perhaps third party tools.

No
 
Back
Top