Can anyone point me to a resource that defines the maximum allowable length of the LDAP filter string in Active Directory?
+1
A:
According to the specification in RFC1558, there is not a hard limit imposed on the length of LDAP filter strings. Different implementations might have their own limits though.
Chris Ballance
2009-02-16 13:28:56
That's what I was assuming. I hoped there was some Microsoft white paper giving some hard facts, though. However, it sounds reasonable that there is no limit.
Tomalak
2009-02-16 13:58:48
I'll leave the question open until tomorrow. Just in case someone comes up with a definitive link on the topic.
Tomalak
2009-02-16 14:39:14
+1
A:
How are you using the LDAP query?
Is it a direct query or are you using some wrapper class (such as those found in System.DirectoryServices within the .Net framework)? As this may have its own limitations above and beyond the LDAP protocol.
Charlie
2009-02-16 13:35:58
Probably, though that's a secondary problem. I intend to use ColdFusion (or Java, if CF doesn't play nice). But before I start coding I want to know if there is a wall I can hit in case filters get really long.
Tomalak
2009-02-16 13:42:33
Yeah, that's what I was assuming as well, but I hoped there would be some Microsoft white paper that escaped my Google skills giving some hard facts.
Tomalak
2009-02-16 13:56:03
+4
A:
According to Technet: How Active Directory Searches Work, the maximum LDAP request size that the server attempts to process defaults to 10,485,760 bytes.
If the server receives a request that is larger than this value, it closes the connection. Hope that helps.
Stefan Gehrig
2009-02-17 13:12:01
10 Megs? You can send a 10 Meg LDAP query? That seems excessively large!This refers to the request. Does it refer to the response? That should controlled elsewhere with maximum returned values, time for search, etc I presume.
geoffc
2009-02-17 19:32:53
This only refers to the request. Perhaps MaxQueryDuration, MaxTempTableSize and MaxDatagramRecv will also come into effect when using queries this large. The response size should be controlled by MaxPageSize and MaxResultSetSize, I think.
Stefan Gehrig
2009-02-18 07:58:42
A:
If you're using the AD Users and Groups GUI interface to contruct the query you are limited to 464 characters. If you're using dsquery from the command line you are not limited to 464 characters. I don't know the upper bounds for filter length on dsquery, but I assume it's inline with the LDAP spec.
pberry
2009-12-10 19:09:38