gzjohn
Member
hi CNC,
We are using LDAP with E1, running R9200040 on almost a daily basis to synchronize with MSAD. We recently hit what appears to be the MaxPageSize setting of 1000 users. We have asked our AD admin group to bump up that setting which they refused to do, suggesting detrimental impact to our corporate environment (very large company), such as DOS attacks. They are saying that Oracle should support "Simple paged results" as supported by LDAPv3 specifications to overcome this limit.
We also opened a call with Oracle about this limit, and they said their R9200040 UBE is working as designed and they are not willing to change it. We've even escalated the call to our account manager with no avail. Their reason is that R9200040 should only run once for go-live, and is not designed to run on a regular basis. Therefore, they see no reason why we cannot simply bump up our MaxPageSize setting temporarily, run that UBE once, and be done. Support finally ended the call by sending us the standard Security Administration Guide and suggesting we post to jdelist because they could not answer our question as to what other large companies using E1 on LDAP does?!
We currently provisioned a standalone domain server with that MaxPageSize setting bumped to 2500 up so we can replicate using R9200040. Our production security servers still use the domain farm to authenticate. Also important to note that we do not maintain roles (authorization) using LDAP, simply authentication.
Question for everyone:
1. If you hit the 1000 user limit, what have you done to work around it?
2. If you simply bump up the MaxPageSize setting, have you experienced detrimental network impact?
3. Do you run R9200040 on a regular basis, and if not then how do you maintain synchronization with AD for new users and terminated accounts.
4. Any other workarounds you are using or aware of, such as perhaps third party tools.
Thanks everyone for your assistance.
John
Versions: 8.12, tech foundation 8.98.4 on Linux 5.5, MSAD
We are using LDAP with E1, running R9200040 on almost a daily basis to synchronize with MSAD. We recently hit what appears to be the MaxPageSize setting of 1000 users. We have asked our AD admin group to bump up that setting which they refused to do, suggesting detrimental impact to our corporate environment (very large company), such as DOS attacks. They are saying that Oracle should support "Simple paged results" as supported by LDAPv3 specifications to overcome this limit.
We also opened a call with Oracle about this limit, and they said their R9200040 UBE is working as designed and they are not willing to change it. We've even escalated the call to our account manager with no avail. Their reason is that R9200040 should only run once for go-live, and is not designed to run on a regular basis. Therefore, they see no reason why we cannot simply bump up our MaxPageSize setting temporarily, run that UBE once, and be done. Support finally ended the call by sending us the standard Security Administration Guide and suggesting we post to jdelist because they could not answer our question as to what other large companies using E1 on LDAP does?!
We currently provisioned a standalone domain server with that MaxPageSize setting bumped to 2500 up so we can replicate using R9200040. Our production security servers still use the domain farm to authenticate. Also important to note that we do not maintain roles (authorization) using LDAP, simply authentication.
Question for everyone:
1. If you hit the 1000 user limit, what have you done to work around it?
2. If you simply bump up the MaxPageSize setting, have you experienced detrimental network impact?
3. Do you run R9200040 on a regular basis, and if not then how do you maintain synchronization with AD for new users and terminated accounts.
4. Any other workarounds you are using or aware of, such as perhaps third party tools.
Thanks everyone for your assistance.
John
Versions: 8.12, tech foundation 8.98.4 on Linux 5.5, MSAD