Privacyidea and Active Directory limit of 1000 users

Hi,

I have tried every option, but can only get 1000 users to import onto
privacyidea from active directory. It just says “found 1000” users even
though there are more users than that. I have tried with simple and NTLM
and get the same results. I have also tried changing the size limit but
again no change.

Anyone know the answer?

Many Thanks

Mark

Hello Mark,

the users are not imported into privacyIDEA.
privacyIDEA performs a live query on the user store.

In the test example, privacyIDEA tries to fetch all users.

In any other case, it will try to fetch a user with
sAMAccountName=mark.williams or with the
DN=CN=user,CN=users,DC=nhs,DC=net.

I.e. if you see only 1000 users at this point, this does not matter. You
do not want to see more than 20 or 50 users at once, anyway.

So you may simply ignore this.

If you go to the users tab, the users tab will display all users it
finds, per default with the searchpattern username=* => 1000 users.
The last username to be found might be “koelbel”. No users with a letter
after “k”.

If you search in the user tab and enter “will”, it will find all users
with the search pattern = “will”.

Thus you will see the user “williams” and the user “godwill”.

The 1000 is no limitation by privacyidea.
Rather active directory limits the result size in certain cases by
itself. You may see this in the microsoft management console ADUC
snapin, which tells you: “more than 2000 users found… go on with
bugging my CPU…”.

So not finding all 8721 users with the “test button” has no impact on
privacyIDEA’s functionality. It rather would have an impact on
privacyIDEA’s performance, if you would find all these users…

If you have any further question, please do not hesitate to drop it!

Kind regards
CorneliusAm Montag, den 14.12.2015, 00:01 -0800 schrieb Mark Williams:

Hi,

I have tried every option, but can only get 1000 users to import onto
privacyidea from active directory. It just says “found 1000” users
even though there are more users than that. I have tried with simple
and NTLM and get the same results. I have also tried changing the
size limit but again no change.

Anyone know the answer?

Many Thanks

Mark

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/629ebc68-b814-47b8-8080-4bb8917dc3df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Cornelius,

Thanks for getting back to me. Firstly, sorry for using the wrong terminology :slight_smile:

Really grateful for your clarification.

So if I understand correctly, when it shows “1000 users” in the user tab. That is just the number from the current “filter” results and not the actual number of users the system has tokens for. If so, is there a way to show the number of users that have tokens enrolled?

Thank you so much

Mark-----Original Message-----
From: Cornelius Kölbel [mailto:cornelius.koelbel@netknights.it]
Sent: 14 December 2015 09:27
To: Williams Mark (EAST KENT HOSPITALS UNIVERSITY NHS FOUNDATION TRUST)
Cc: privacyidea
Subject: Re: Privacyidea and Active Directory limit of 1000 users

Hello Mark,

the users are not imported into privacyIDEA.

privacyIDEA performs a live query on the user store.

In the test example, privacyIDEA tries to fetch all users.

In any other case, it will try to fetch a user with sAMAccountName=mark.williams or with the DN=CN=user,CN=users,DC=nhs,DC=net.

I.e. if you see only 1000 users at this point, this does not matter. You do not want to see more than 20 or 50 users at once, anyway.

So you may simply ignore this.

If you go to the users tab, the users tab will display all users it finds, per default with the searchpattern username=* => 1000 users.

The last username to be found might be “koelbel”. No users with a letter after “k”.

If you search in the user tab and enter “will”, it will find all users with the search pattern = “will”.

Thus you will see the user “williams” and the user “godwill”.

The 1000 is no limitation by privacyidea.

Rather active directory limits the result size in certain cases by itself. You may see this in the microsoft management console ADUC snapin, which tells you: “more than 2000 users found… go on with bugging my CPU…”.

So not finding all 8721 users with the “test button” has no impact on privacyIDEA’s functionality. It rather would have an impact on privacyIDEA’s performance, if you would find all these users…

If you have any further question, please do not hesitate to drop it!

Kind regards

Cornelius

Am Montag, den 14.12.2015, 00:01 -0800 schrieb Mark Williams:

Hi,

I have tried every option, but can only get 1000 users to import onto

privacyidea from active directory. It just says “found 1000” users

even though there are more users than that. I have tried with simple

and NTLM and get the same results. I have also tried changing the

size limit but again no change.

Anyone know the answer?

Many Thanks

Mark

You received this message because you are subscribed to the Google

Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to privacyidea+unsubscribe@googlegroups.commailto:privacyidea+unsubscribe@googlegroups.com.

To post to this group, send email to privacyidea@googlegroups.commailto:privacyidea@googlegroups.com.

To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/629ebc68-b814-47b8-8080-4bb8917dc3df%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel

cornelius.koelbel@netknights.itmailto:cornelius.koelbel@netknights.it

+49 151 2960 1417

NetKnights GmbH

http://www.netknights.it

Landgraf-Karl-Str. 19, 34131 Kassel, Germany

Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405

Geschäftsführer: Cornelius Kölbel


This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.

Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be accessed anywhere


Hi Mark,

the users you see there are the users in the user store, who could
potentially get a token.

You might want to take a look at the token tab, which shows you the
number of tokens enrolled. Anyway - this is the number of enrolled
tokens and is not necessarily equal to the numbers of users, who have a
token.

You can assign several tokens to a user, thus you might have 1000 tokens
enrolled, but 2 for each user and only have 500 users with tokens (2).

In the UI there is no way to see the “number of users with tokens” at
the moment. Anyway, it is just a simple SQL query in the token database
and could be added easily.

In which are you using or planning to use privacyIDEA?

Kind regards
Cornelius

Am Montag, den 14.12.2015, 09:38 +0000 schrieb Williams Mark (EAST KENT
HOSPITALS UNIVERSITY NHS FOUNDATION TRUST):> Hi Cornelius,

Thanks for getting back to me. Firstly, sorry for using the wrong
terminology :slight_smile:

Really grateful for your clarification.

So if I understand correctly, when it shows “1000 users” in the user
tab. That is just the number from the current “filter” results and not
the actual number of users the system has tokens for. If so, is
there a way to show the number of users that have tokens enrolled?

Thank you so much

Mark

-----Original Message-----
From: Cornelius Kölbel [mailto:@cornelinux]
Sent: 14 December 2015 09:27
To: Williams Mark (EAST KENT HOSPITALS UNIVERSITY NHS FOUNDATION
TRUST)
Cc: privacyidea
Subject: Re: Privacyidea and Active Directory limit of 1000 users

Hello Mark,

the users are not imported into privacyIDEA.

privacyIDEA performs a live query on the user store.

In the test example, privacyIDEA tries to fetch all users.

In any other case, it will try to fetch a user with
sAMAccountName=mark.williams or with the
DN=CN=user,CN=users,DC=nhs,DC=net.

I.e. if you see only 1000 users at this point, this does not matter.
You do not want to see more than 20 or 50 users at once, anyway.

So you may simply ignore this.

If you go to the users tab, the users tab will display all users it
finds, per default with the searchpattern username=* => 1000 users.

The last username to be found might be “koelbel”. No users with a
letter after “k”.

If you search in the user tab and enter “will”, it will find all users
with the search pattern = “will”.

Thus you will see the user “williams” and the user “godwill”.

The 1000 is no limitation by privacyidea.

Rather active directory limits the result size in certain cases by
itself. You may see this in the microsoft management console ADUC
snapin, which tells you: “more than 2000 users found… go on with
bugging my CPU…”.

So not finding all 8721 users with the “test button” has no impact on
privacyIDEA’s functionality. It rather would have an impact on
privacyIDEA’s performance, if you would find all these users…

If you have any further question, please do not hesitate to drop it!

Kind regards

Cornelius

Am Montag, den 14.12.2015, 00:01 -0800 schrieb Mark Williams:

Hi,

I have tried every option, but can only get 1000 users to import
onto

privacyidea from active directory. It just says “found 1000” users

even though there are more users than that. I have tried with
simple

and NTLM and get the same results. I have also tried changing the

size limit but again no change.

Anyone know the answer?

Many Thanks

Mark

You received this message because you are subscribed to the Google

Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it,
send

an email to privacyidea+unsubscribe@googlegroups.com.

To post to this group, send email to privacyidea@googlegroups.com.

To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/629ebc68-b814-47b8-8080-4bb8917dc3df%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel

@cornelinux

+49 151 2960 1417

NetKnights GmbH

http://www.netknights.it

Landgraf-Karl-Str. 19, 34131 Kassel, Germany

Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405

Geschäftsführer: Cornelius Kölbel


This message may contain confidential information. If you are not the
intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail
or take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.

Thank you for your co-operation.

NHSmail is the secure email and directory service available for all
NHS staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive
information with NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can
be accessed anywhere



You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/20151214093816.9C5ED448093%40nhs-pd1e-esg106.ad1.nhs.net.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)