Critical extension is unavailable

[bill-e-ghote]

Queried our LDAP server. Got this: ldap.UNAVAILABLE_CRITICAL_EXTENSION: {'desc': 'Critical extension is unavailable'} Quick Google search turns up: http://blogs.adobe.com/apugalia/ldap-error-code-12-unavailable-critical-extension/ https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec439052.html

...commonly occurs when asking an LDAP Server to return paged results but the LDAP doesn’t support the PagedResultsControl extension.

SunOne 5.2 and 6.3 don’t support PagedResultsControl extension.

...which is the problem I'm running into. Unfortunately, setting the batch size parameter to 0 on such systems is also not going to help, as there is (in our case) a hard limit on the return size configured.

One way around this is to rewrite queries to parse out the enumeration in small steps, using query strings with wildcard operators. For example, querying sn="dav*", sn="daw*", etc., and then combining the results later. Of course, any arbitrary query string has to match the actual data in LDAP and be adjusted in the event the return exceeds whatever arbitrary cut-off size is implemented.

Any hope that ad-ldap-enum would be updated to support these edge cases situations?

I can see why that would not be super important, since the objective is AD enumeration and not just LDAP enum...

[edepree]

Following up on this issue. I have put this out for help wanted. Right now there is no plan to support or develop for non-Active Directory based LDAP servers.