Active Directory with >1000 groups

Adam_Michel1 · November 7, 2008, 6:23pm

We have a centralized Active Directory for our university that contains all campus users and groups for every organizational unit at the U. This means we’ve got a motherload of groups. Problem one and really the central problem, the group list only shows the first 1000. This isn’t such a big deal for finding a group and viewing members because the search box seems to search all groups properly, but when I want to share that group with specific other groups, I’m out of luck because the box 'o groups in the roster sharing interface also only lists the first 1000 groups.

Is there anything I can do? Based on what I see in the MySQL database, could I just insert rows by hand into the ofGroupProp table? It looks like there’s three entries per shared group:

groupName
**name
**
propValue
nameofgroup
sharedRoster.showInRoster
onlyGroup
nameofgroup
sharedRoster.displayName
Group Name
nameofgroup
sharedRoster.groupList
groups,to,share,with

Is that allI need to add? Also, what are the valid propValues for sharedRoster.showInRoster? I’ve seen “nobody” and “onlyGroup”.

Also, can Openfire deal with nested groups? It seems rather confused when a group has a group in it.

Thanks for any help!

NO_MESSAGES_OR_FRIEN · November 7, 2008, 6:28pm

Nested groups are not supported. You can increase the maxpagesize of AD to allow more groups but this could cause other issues: http://support.microsoft.com/kb/315071

Adam_Michel1 · November 7, 2008, 11:16pm

I figured that on the nested groups but I thought I’d ask. Changing settings on the AD is off the table, unfortunately. Good to know what the issue was, at least.

Kevin48 · December 8, 2015, 5:25am

Well, I’m in the same boat. Definitely not going to change AD.

I create a HTA app to enumerate groups, and I use it to emulate what their app is doing behind the scenes. Lot of extra work to make for a KNOWN issue with AD paging.

oh well…everything else seems to be working very well, so I’ll not complain too much!!

But - you are correct. if you just browse that table, and watch what happens with the records, you’ll see the pattern.

speedy · December 8, 2015, 2:31pm

looking at the code, it looks like ldap paging is supported, but its default value is -1 (disabled)? try setting/creating system property

ldap.pagedResultsSize to something like 1000 (something less than your ldap limit) to see if that works.

Kevin48 · December 8, 2015, 3:45pm

Awesome - adding the ldap.pagedResultsSize to 1000 did the trick!

Thank you!!