Privacyidea and Active Directory limit of 1000 users

94 views
Skip to first unread message

Mark Williams

unread,
Dec 14, 2015, 3:01:12 AM12/14/15
to privacyidea
Hi,

I have tried every option, but can only get 1000 users to import onto privacyidea from active directory.  It just says "found 1000" users even though there are more users than that.  I have tried with simple and NTLM and get the same results.  I have also tried changing the size limit but again no change.

Anyone know the answer?

Many Thanks

Mark

Cornelius Kölbel

unread,
Dec 14, 2015, 4:27:01 AM12/14/15
to Mark Williams, privacyidea
Hello Mark,

the users are not imported into privacyIDEA.
privacyIDEA performs a live query on the user store.

In the test example, privacyIDEA tries to fetch all users.

In any other case, it will try to fetch a user with
sAMAccountName=mark.williams or with the
DN=CN=user,CN=users,DC=nhs,DC=net.

I.e. if you see only 1000 users at this point, this does not matter. You
do not want to see more than 20 or 50 users at once, anyway.

So you may simply ignore this.

If you go to the users tab, the users tab will display all users it
finds, per default with the searchpattern username=* => 1000 users.
The last username to be found might be "koelbel". No users with a letter
after "k".

If you search in the user tab and enter "will", it will find all users
with the search pattern = "*will*".

Thus you will see the user "williams" and the user "godwill".

The 1000 is no limitation by privacyidea.
Rather active directory limits the result size in certain cases by
itself. You may see this in the microsoft management console ADUC
snapin, which tells you: "more than 2000 users found... go on with
bugging my CPU...".

So not finding all 8721 users with the "test button" has no impact on
privacyIDEA's functionality. It rather would have an impact on
privacyIDEA's performance, if you would find all these users...

If you have any further question, please do not hesitate to drop it!

Kind regards
Cornelius
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/629ebc68-b814-47b8-8080-4bb8917dc3df%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


signature.asc

Williams Mark (EAST KENT HOSPITALS UNIVERSITY NHS FOUNDATION TRUST)

unread,
Dec 14, 2015, 4:38:17 AM12/14/15
to Cornelius Kölbel, privacyidea

Hi Cornelius,

 

Thanks for getting back to me.  Firstly, sorry for using the wrong terminology  :-)

 

Really grateful for your clarification.

 

So if I understand correctly, when it shows “1000 users” in the user tab. That is just the number from the current “filter” results and not the actual number of users the system has tokens for.   If so, is there a way to show the number of users that have tokens enrolled?

 

Thank you so much

 

Mark

 

-----Original Message-----
From: Cornelius Kölbel [mailto:corneliu...@netknights.it]
Sent: 14 December 2015 09:27
To: Williams Mark (EAST KENT HOSPITALS UNIVERSITY NHS FOUNDATION TRUST)
Cc: privacyidea
Subject: Re: Privacyidea and Active Directory limit of 1000 users

 

Hello Mark,

 

the users are not imported into privacyIDEA.

privacyIDEA performs a live query on the user store.

 

In the test example, privacyIDEA tries to fetch all users.

 

In any other case, it will try to fetch a user with sAMAccountName=mark.williams or with the DN=CN=user,CN=users,DC=nhs,DC=net.

 

I.e. if you see only 1000 users at this point, this does not matter. You do not want to see more than 20 or 50 users at once, anyway.

 

So you may simply ignore this.

 

If you go to the users tab, the users tab will display all users it finds, per default with the searchpattern username=* => 1000 users.

The last username to be found might be "koelbel". No users with a letter after "k".

 

If you search in the user tab and enter "will", it will find all users with the search pattern = "*will*".

 

Thus you will see the user "williams" and the user "godwill".

 

The 1000 is no limitation by privacyidea.

Rather active directory limits the result size in certain cases by itself. You may see this in the microsoft management console ADUC snapin, which tells you: "more than 2000 users found... go on with bugging my CPU...".

 

So not finding all 8721 users with the "test button" has no impact on privacyIDEA's functionality. It rather would have an impact on privacyIDEA's performance, if you would find all these users...

 

If you have any further question, please do not hesitate to drop it!

 

Kind regards

Cornelius

 

 

 

Am Montag, den 14.12.2015, 00:01 -0800 schrieb Mark Williams:

> --

> You received this message because you are subscribed to the Google

> Groups "privacyidea" group.

> To unsubscribe from this group and stop receiving emails from it, send

> an email to privacyidea...@googlegroups.com.

> To post to this group, send email to priva...@googlegroups.com.

> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/629ebc68-b814-47b8-8080-4bb8917dc3df%40googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

 

--

Cornelius Kölbel

corneliu...@netknights.it

+49 151 2960 1417

 

NetKnights GmbH

http://www.netknights.it

Landgraf-Karl-Str. 19, 34131 Kassel, Germany

Tel: +49 561 3166797, Fax: +49 561 3166798

 

Amtsgericht Kassel, HRB 16405

Geschäftsführer: Cornelius Kölbel

 

 


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.

Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be accessed anywhere

********************************************************************************************************************

Cornelius Kölbel

unread,
Dec 14, 2015, 4:45:43 AM12/14/15
to priva...@googlegroups.com
Hi Mark,

the users you see there are the users in the user store, who could
potentially get a token.

You might want to take a look at the token tab, which shows you the
number of tokens enrolled. Anyway - this is the number of enrolled
tokens and is not necessarily equal to the numbers of users, who have a
token.

You can assign several tokens to a user, thus you might have 1000 tokens
enrolled, but 2 for each user and only have 500 users with tokens (2).

In the UI there is no way to see the "number of users with tokens" at
the moment. Anyway, it is just a simple SQL query in the token database
and could be added easily.

In which are you using or planning to use privacyIDEA?

Kind regards
Cornelius


Am Montag, den 14.12.2015, 09:38 +0000 schrieb Williams Mark (EAST KENT
HOSPITALS UNIVERSITY NHS FOUNDATION TRUST):
> https://groups.google.com/d/msgid/privacyidea/20151214093816.9C5ED448093%40nhs-pd1e-esg106.ad1.nhs.net.
signature.asc
Reply all
Reply to author
Forward
0 new messages