Risks of changing LDAP Polices - MaxPageSize value?

Question

Hi,

We have a developer working with our AD environment who is using LDAP queries from SQL. He currently hits a limit of 901 records that he can pull in a single query. Some recommendations online mention using NTDSUTIL.EXE to modify the LDAP Policies and increase the MaxPageSize value.

The default value appears to actually be 1000. There doesn't seem to be much info online about what else this could affect for AD/LDAP. Can anyone shed some light on possible risks with increasing this value? Or is it completely safe to do so? Is there a maximum value that would be considered safe if not the default?

Thanks

Answer 1

Hello

Thank you for posting in Microsoft Community forum!

The MaxPageSize value in LDAP Policies determines the maximum number of entries that are returned in a single search result, not considering paged results. The default value is indeed 1000.

Changing the MaxPageSize value can have implications:

• Performance Impact: Increasing this value could significantly impact the performance or operation of your Domain Controllers (DCs). This is because larger page sizes require more resources to fill, especially if many clients are performing searches simultaneously.
• Risk of Overloading DCs: If the MaxPageSize is set too high, it could potentially overload your DCs. This could happen even if your commands won’t cause it, a possible Denial of Service (DoS) attack could happen.

Instead of increasing the MaxPageSize, a recommended approach is to use paged queries for queries that could return more than 1000 entries. This method allows you to retrieve a large number of entries without the need to increase the MaxPageSize, thus mitigating the potential risks.

As for a safe maximum value, it’s hard to define one as it can depend on various factors like your server’s capabilities, network infrastructure, and specific use case. However, keeping it at the default or using paged queries is generally recommended for the reasons mentioned above.

Best Regards,

Wesley Li

Answer 2

Hi,

Thanks so much for the detailed response! This is very helpful.

As a final follow up question, do you happen to have links to any resources about how to run a paged query?

Thanks again.

Answer 3

To use paginated queries in LDAP, you can follow these steps:

1.Set up your LDAP connection:

conn = Connection (*args)

2.Create a generator for paged search:

entry_generator = conn.extend.standard.paged_search (

search\_base=self.dc,  

search\_filter=query,  

search\_scope=SUBTREE,  

attributes=self.user\_attributes,  

paged\_size=1,  

generator=True 

)

3.Get your results:

results = []

for entry in entry_generator:

total\_entries += 1  

results.append (entry)  

if total\_entries % 50 == 0:  

    # do something with results 

In the above code, paged_size=1 means that the generator will yield one entry at a time. You can adjust this value according to your needs.

ldap - How to use ldap3 generator for pagination? - Stack Overflow

Please note that the server is free to impose a limit on the number of entries that can be returned in the response to a search request. The LDAP client can request a size limit, but this client-requested limit cannot override the server-imposed limit. Therefore, if you encounter an error like “Size limit exceeded”, it might be due to the server-imposed limit.

ldap - Paging using ldapsearch - Server Fault

If you’re using Microsoft’s LDAP API, you can use ldap_create_page_control to construct a control for paged results, and then call ldap_search_ext to add the control.

Paging Search Results | Microsoft Learn

Remember to replace *args, self.dc, query, SUBTREE, and self.user_attributes with your actual parameters. If you’re not sure about these parameters, you might need to refer to your LDAP server’s documentation or consult with your system administrator.