https://live.paloaltonetworks.com/t5/general-topics/ldap-failed-to-create-page-control/m-p/28319#M20695 <HTML><HEAD></HEAD><BODY><P>Out of curiosity, is the output via your syslog? Are you actually able to utilize the LDAP server for authentication?</P></BODY></HTML> Wed, 16 Mar 2011 18:28:51 GMT gswcowboy 2011-03-16T18:28:51Z https://live.paloaltonetworks.com/t5/general-topics/ldap-failed-to-create-page-control/m-p/28318#M20694 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>Seen this in the ldapd.log file.</P><P>Has anyone come across this before ?</P><P></P><P></P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code"><P> Mar 16 10:10:03 connected to ldap server ldap://172.17.23.132<BR /> Mar 16 10:10:03 ldap cfg LDAP Server connected to 172.17.23.132:389(index 0)<BR /> Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control<BR /> Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control<BR /> Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control<BR /> Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control<BR /> Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control<BR /> Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control<BR /> Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control<BR /> Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control</P></PRE><P></P><P>the "failed to create page control" pages for quite a bit.</P><P></P><P>Regards</P><P></P><P>Marc</P></BODY></HTML> Wed, 16 Mar 2011 13:04:48 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-failed-to-create-page-control/m-p/28318#M20694 migration 2011-03-16T13:04:48Z https://live.paloaltonetworks.com/t5/general-topics/ldap-failed-to-create-page-control/m-p/28319#M20695 <HTML><HEAD></HEAD><BODY><P>Out of curiosity, is the output via your syslog? Are you actually able to utilize the LDAP server for authentication?</P></BODY></HTML> Wed, 16 Mar 2011 18:28:51 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-failed-to-create-page-control/m-p/28319#M20695 gswcowboy 2011-03-16T18:28:51Z https://live.paloaltonetworks.com/t5/general-topics/ldap-failed-to-create-page-control/m-p/28320#M20696 <HTML><HEAD></HEAD><BODY><P>In eDir, a request is made by the PAN for group information (1000 at a time) and from this all users (1000 at a time), thus the need for page control. This way, the PAN will not be inundated by a possilbe 'dump' of data. Having said that, if you're running AD, page control is not a supported feature and you'll eventually receive these log messages. However, if you're running eDir version 8.7, you'll need to upgrade to version 8.8 to alleviate these alerts. Hope this answers your question.</P></BODY></HTML> Wed, 16 Mar 2011 21:15:22 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-failed-to-create-page-control/m-p/28320#M20696 gswcowboy 2011-03-16T21:15:22Z https://live.paloaltonetworks.com/t5/general-topics/ldap-failed-to-create-page-control/m-p/28321#M20697 <HTML><HEAD></HEAD><BODY><P>We are currently using a Donino (v6.5.x I think) for captive portal authentication, which seems to be working with the tests we have performed.</P><P></P><P>These logs are from the ldapd.log on the PA its self not via syslog.</P><P>using "show user ldap-server server all" the PA contact the LDAP server and returns all the groups and users in under 20 seconds, when viewing the ldapd.log imiedatly after the PA connects we recieve the "failed to create page control" warning in the log.</P><P></P><P>Im just concerened that this may have an impact on the users authenticating when we start migrating more users across.</P><P></P><P>Regards</P><P></P><P>Marc</P></BODY></HTML> Thu, 17 Mar 2011 06:42:39 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-failed-to-create-page-control/m-p/28321#M20697 migration 2011-03-17T06:42:39Z https://live.paloaltonetworks.com/t5/general-topics/ldap-failed-to-create-page-control/m-p/28322#M20698 <HTML><HEAD></HEAD><BODY><P>Hi Marc,</P><P></P><P>This may impact results later on.</P><P>The LDAP quesry is looking to get all the user/group mappings - so the paging error probably means you're getting the 1st 1,000 results only.&nbsp; This means - a valid user will likely get authenticated.&nbsp; However, they may not end up in the correct group for security policies - you'll be able to see this on the device CLI - all user/group mappings.&nbsp; Although it could be a big list to go through.</P><P></P><P>The question is whether your 1,000+ results are all users or something different - e.g. groups.</P><P>Filters on groups will help if there are a lot of groups being returned that you'll not use in security policy.</P><P>Filter on users, if you can, to get only the &lt;1,000 that you need - assuming you have less than 1,000 that will authenticate in this way.</P><P></P><P>Of course, the above needs validating with checks on the CLI to see what you see.</P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Thu, 17 Mar 2011 08:10:44 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-failed-to-create-page-control/m-p/28322#M20698 James 2011-03-17T08:10:44Z https://live.paloaltonetworks.com/t5/general-topics/ldap-failed-to-create-page-control/m-p/28323#M20699 <HTML><HEAD></HEAD><BODY><P>Hi James,</P><P></P><P>With ldap page control I asume you are refering to RFC 2696 - LDAP Control Extension for Simple Paged Results Manipulation?</P><P></P><P>If so then I belive from the research I have done Lotus Domino versions 5,6 and 7 do not support this RFC.</P><P></P><P>So it looks like the customer is going to have to do some regrouping by Region to bring the returned numbers down... however if the total number of users in all groups exceeds 1,000+ would I still have the same issue??</P><P></P><P>Marc</P></BODY></HTML> Thu, 17 Mar 2011 13:00:30 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-failed-to-create-page-control/m-p/28323#M20699 migration 2011-03-17T13:00:30Z https://live.paloaltonetworks.com/t5/general-topics/ldap-failed-to-create-page-control/m-p/28324#M20700 <HTML><HEAD></HEAD><BODY><P>Hi Marc,</P><P></P><P>I cannot comment on the RFC - perhaps someone can check this.</P><P></P><P>However, yes - if more than 1,000 lines are returned the problem will remain.&nbsp; The company may not need to change their structure.&nbsp; It is possible for example to filter user on their loction - assuming this information has been entered into the LDAP server.&nbsp; Here are some examples of filters:</P><P style="line-height: 85%; margin-top: 14.4pt; margin-bottom: 1.44pt; text-align: center; direction: ltr; unicode-bidi: embed; vertical-align: baseline;"><SPAN style="color: black; font-size: 12pt; font-family: Arial; ">Use only users based in Dallas or Houston:</SPAN></P><P style="line-height: 85%; margin-top: 14.4pt; margin-bottom: 1.44pt; text-align: center; direction: ltr; unicode-bidi: embed; vertical-align: baseline;"><SPAN style="color: black; font-size: 12pt; font-family: Arial; ">(|(l=Dallas)(l=Austin))</SPAN></P><P style="line-height: 85%; margin-top: 14.4pt; margin-bottom: 1.44pt; text-align: center; direction: ltr; unicode-bidi: embed; vertical-align: baseline;"><SPAN style="color: black; font-size: 12pt; font-family: Arial; ">Only users named John in the same cities:</SPAN></P><P style="line-height: 85%; margin-top: 14.4pt; margin-bottom: 1.44pt; text-align: center; direction: ltr; unicode-bidi: embed; vertical-align: baseline;"><SPAN style="font-size: 12pt;"><SPAN style="font-family: Arial; color: black;">(&amp;(</SPAN><SPAN style="font-family: Arial; color: black;">givenName</SPAN><SPAN style="font-family: Arial; color: black;">=John)(|(l=Dallas)(l=Austin))) </SPAN></SPAN></P><P></P><P>HTH</P><P>Thanks</P><P>James</P></BODY></HTML> Thu, 17 Mar 2011 22:53:14 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-failed-to-create-page-control/m-p/28324#M20700 James 2011-03-17T22:53:14Z