error -17796 too many matches and other ldap weirdness

[Mike Scott]

Hi All,

Running 11.2.1 Entourage client. Our Exchange server is not running
Exchange 2003 SP2 yet as the admins are nervous to upgrade.

I setup a new directory service with the same info I use in Apple's
Address Book. Only info being server and search base. When I don't
fill in a search base, I get the -17768 error and can't connect to the
directory server at all. When I search for a name that returns a
modest amount of entires (40 or so will do it, have yet to find the
lower bounds) I get an error, -17796 saying there were too many
matches. I tried tweaking the Maximum Number of Results setting to no
avail. anyone?

It also appears to me that Entourage is only looking at the default
email address when looking up users on my ldap server. If I am
searching for "Jason User", and his default email address is
"(e-mail address removed)" I will recieve no results. However if I search for
"usr" or "jus" I will have his entry returned. Our users defulat email
address vary, sometimes being in the format First.Middle.Last@ and
sometimes simply being the short username, user@. Address Book will
find users based on default email address as well as full name details
with the same ldap settings. I'd love to hear an explanation to this
that isn't "It's the way you are setting up ldap entries" :-!

I'd love to hear from anyone at MS about this as I can't find mention
of this too many entries error anywhere... and any light that can be
shed on the ldap searching weirdness (such as what exactly Entourage is
quering against) would be great!

Thanks!!

-Mike

 

[Mickey Stevens]

Hi All,

Running 11.2.1 Entourage client. Our Exchange server is not running
Exchange 2003 SP2 yet as the admins are nervous to upgrade.

I setup a new directory service with the same info I use in Apple's
Address Book. Only info being server and search base. When I don't
fill in a search base, I get the -17768 error and can't connect to the
directory server at all.

In that case, I would suggest that you leave it unchecked.

When I search for a name that returns a
modest amount of entires (40 or so will do it, have yet to find the
lower bounds) I get an error, -17796 saying there were too many
matches. I tried tweaking the Maximum Number of Results setting to no
avail. anyone?

Also try increasing the search time limit on the server. That error has
been known to appear when a search times out before all of the results are
retrieved.

 

[Nathan Herring [MSFT]]

One of the lesser known problems with Active Directory is that they return
sizeLimitExceeded (which is translated into -17796) when they really should
return adminLimitExceeded in the case where there is a server-side,
administrative limit to the number of records it will return. If you set
your size limit to 400 and ask for 400 records, but the server only allows
300 records, you'll get this error and there's nothing you can do about it.
Furthermore, the error indicates you should be able to do something about it
(i.e., change your size limit), so it's doubly problematic. If you would
like this behavior to be different, I suggest escalating through PSS to the
Active Directory team -- they're worried about breaking backward
compatibility with pre-existing applications that are expecting this
incorrect behavior, and without customer desire, it will remain this way.

Are you connecting to your directory server on the main LDAP port, or the
global catalog port (3268 or 3269 if SSL is on)? If it's the former, you
have to provide a search base. In the latter case, providing a search base
will make virtual list view (VLV) browsing fail. I would suggest using the
Exchange-associated LDAP server defaults (i.e., the global catalog port and
no search base).

We have logic to turn what would be a contact search into an LDAP search by
converting all of the search criteria into standard LDAP criteria. It gets
pretty complicated, since we often have fallback cases about how to fill out
a contact field based on the existence of LDAP fields (i.e., use givenName
for last name, but if it's missing, try to calculate it from the
displayName).

Apparently, the internal search mechanism has some limitations about
searching parts of e-mail addresses, and that might be influencing this
issue.

If you can give a search where the search doesn't show the contact, yet,
when you copy the LDAP contact to your address book and perform the same
search, it does show the contact, let us know. (Or vice versa -- if the LDAP
search shows a contact that would not show up if that contact were copied
into your address book, that's problematic.)

-nh