This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

LDAP - failed to create page control

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

LDAP - failed to create page control

migration
L0 Member

‎03-16-2011 06:04 AM

Hi All,

Seen this in the ldapd.log file.

Has anyone come across this before ?

 Mar 16 10:10:03 connected to ldap server ldap://172.17.23.132
 Mar 16 10:10:03 ldap cfg LDAP Server connected to 172.17.23.132:389(index 0)
 Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control
 Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control
 Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control
 Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control
 Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control
 Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control
 Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control
 Mar 16 10:10:09 Warning: pan_ldap_search(pan_ldap.c:521): failed to create page control

the "failed to create page control" pages for quite a bit.

Regards

Marc

Labels:
0 Likes Likes
6 REPLIES 6

gswcowboy
L6 Presenter

‎03-16-2011 11:28 AM

Out of curiosity, is the output via your syslog? Are you actually able to utilize the LDAP server for authentication?

0 Likes Likes

gswcowboy
L6 Presenter

‎03-16-2011 02:15 PM

In eDir, a request is made by the PAN for group information (1000 at a time) and from this all users (1000 at a time), thus the need for page control. This way, the PAN will not be inundated by a possilbe 'dump' of data. Having said that, if you're running AD, page control is not a supported feature and you'll eventually receive these log messages. However, if you're running eDir version 8.7, you'll need to upgrade to version 8.8 to alleviate these alerts. Hope this answers your question.

0 Likes Likes

migration
L0 Member
In response to gswcowboy

‎03-16-2011 11:42 PM

We are currently using a Donino (v6.5.x I think) for captive portal authentication, which seems to be working with the tests we have performed.

These logs are from the ldapd.log on the PA its self not via syslog.

using "show user ldap-server server all" the PA contact the LDAP server and returns all the groups and users in under 20 seconds, when viewing the ldapd.log imiedatly after the PA connects we recieve the "failed to create page control" warning in the log.

Im just concerened that this may have an impact on the users authenticating when we start migrating more users across.

Regards

Marc

0 Likes Likes

James
L4 Transporter
In response to migration

‎03-17-2011 01:10 AM

Hi Marc,

This may impact results later on.

The LDAP quesry is looking to get all the user/group mappings - so the paging error probably means you're getting the 1st 1,000 results only.  This means - a valid user will likely get authenticated.  However, they may not end up in the correct group for security policies - you'll be able to see this on the device CLI - all user/group mappings.  Although it could be a big list to go through.

The question is whether your 1,000+ results are all users or something different - e.g. groups.

Filters on groups will help if there are a lot of groups being returned that you'll not use in security policy.

Filter on users, if you can, to get only the <1,000 that you need - assuming you have less than 1,000 that will authenticate in this way.

Of course, the above needs validating with checks on the CLI to see what you see.

Thanks

James

migration
L0 Member
In response to James

‎03-17-2011 06:00 AM

Hi James,

With ldap page control I asume you are refering to RFC 2696 - LDAP Control Extension for Simple Paged Results Manipulation?

If so then I belive from the research I have done Lotus Domino versions 5,6 and 7 do not support this RFC.

So it looks like the customer is going to have to do some regrouping by Region to bring the returned numbers down... however if the total number of users in all groups exceeds 1,000+ would I still have the same issue??

Marc

0 Likes Likes

James
L4 Transporter
In response to migration

‎03-17-2011 03:53 PM

Hi Marc,

I cannot comment on the RFC - perhaps someone can check this.

However, yes - if more than 1,000 lines are returned the problem will remain.  The company may not need to change their structure.  It is possible for example to filter user on their loction - assuming this information has been entered into the LDAP server.  Here are some examples of filters:

Use only users based in Dallas or Houston:

(|(l=Dallas)(l=Austin))

Only users named John in the same cities:

(&(givenName=John)(|(l=Dallas)(l=Austin)))

HTH

Thanks

James

0 Likes Likes
  • 3133 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks