3.1.1.3.1.3.3 Range Retrieval of Attribute Values

msdn link

When retrieving the values from a multivalued attribute, Active Directory limits the number of values that can be retrieved from one attribute in a single search request. The maximum number of values that will be returned by Active Directory at one time is determined by the MaxValRange policy (see section 3.1.1.3.4.6). To permit all the values of a multivalued attribute to be retrieved, Active Directory provides a "range retrieval" mechanism. This mechanism permits a client-specified subset of the values to be retrieved in a search request. By performing multiple search requests, each retrieving a distinct subset, the complete set of values for the attribute can be retrieved.

Range retrieval is requested by attaching a range option to the name of the attribute (for example, the AttributeDescription, as specified in [RFC2251] section 4.1.5) to be retrieved by the search request. This option takes the form

range=low-high

where low is the zero-based index of the first value of the attribute to retrieve, and high is the zero-based index of the last value of the attribute to retrieve. For example, to retrieve the 100th through the 500th values of the member attribute, the attributes list in the SearchRequest would specify the AttributeDescription "member;range=99-499". Zero is used for low to specify the first entry. A client can substitute an asterisk for high to indicate all remaining entries (subject to any limitations imposed by the server on the maximum number of values to return). The server can return fewer values than requested.

When the server receives a range retrieval request, it will include a range option in the AttributeDescription returned. This range option will take the same form as described previously, with low indicating the zero-based index of the first value of the attribute that the server returned and high indicating the zero-based index of the last value of the attribute that the server returned. However, if the set of attributes returned includes the last value in the attribute, the server will substitute an asterisk for high, indicating to the client that there are no more values to be retrieved.

If a SearchRequest does not contain a range option for a given attribute, but that attribute has too many values to be returned at one time, the server returns a SearchResultEntry containing (1) the attribute requested without the range option and with no values, and (2) the attribute requested with a range option attached and with the values corresponding to that range option.

The ordering of the values returned in a range retrieval request is arbitrary but consistent across multiple range retrieval requests on the same LDAP connection, provided that the attribute is not modified between successive range retrieval requests.