develooper Front page | perl.ldap | Postings from December 2015

slow AD ldap query or bad filter/algorithm?

Thread Next
Natxo Asenjo
December 11, 2015 11:12
slow AD ldap query or bad filter/algorithm?
Message ID:

I need to get mail enabled groups info from Active Directory.

AD mail enabled groups (be it distribution or security groups) keeps the
member attributes as distinguishednames


objectClass: top
objectClass: group
cn: mailgroup
member: CN=user a,OU=staff,dc=domain,dc=tld
member: CN=user b,OU=staff,dc=domain,dc=tld
member: CN=user c,OU=staff,dc=domain,dc=tld
member: CN=user d,OU=staff,dc=domain,dc=tld


So in order to get the mail addresses of those users, I need to launch
another query.

So I first query the mail enabled groups, fast query:

my $mail_enabled_grps_AD = "(&(objectCategory=group)(mail=*))";

# first find enabled accounts to fill @ad_enabled
while (1) {
    my $search_ad = $ad_ldap->search(
        base   => "dc=domain,dc=tld",
        scope  => "sub",
        filter => $mail_enabled_grps_AD,
        attr =>
          [ 'cn', 'member', 'mail', 'proxyaddresess', 'distinguishedname',
        control => [$page_ad],

    $search_ad->code && die "error on search ad: $@: " . $search_ad->error;
    while ( my $entry = $search_ad->pop_entry() ) {
        my $displayname = $entry->get_value('cn');
        my $dn          = $entry->get_value('distinguishedname');
        my $mail        = $entry->get_value('mail');
        my @members     = $entry->get_value('member');
        my @email_addrs = $entry->get_value('proxyaddresses');

        # fill @ad_enabled
        push @ad_mail_enbld_groups, lc $mail;

        my @ad_mails = _from_dn_to_mail(@members);

        # generate hash for hoh_AD
        my $rec = {
            MAIL          => $mail,
            MEMBERS       => [@members],
            MEMBERS_ADDRS => [@ad_mails],
            PROXYADDRS    => [@email_addrs],

        # assing $rec to %hoh_AD
        $hoh_AD{$mail} = $rec;


    my ($resp) = $search_ad->control(LDAP_CONTROL_PAGED) or last;
    $cookie_ad = $resp->cookie or last;

If I do not use   my @ad_mails = _from_dn_to_mail(@members); then this
snippet runs under 2 seconds.

If I use it, it takes 2m30secs.

This is the code in the sub(s):

sub _get_ad_user_mail {
    my ($ad_user) = @_;
    my $search_ad = $ad_ldap->search(
        base  => "dc=domain,dc=tld",
        scope => "sub",
        filter =>
        attr => ['mail'],

    $search_ad->code && die "error on search ad: $@: " . $search_ad->error;
    for my $entry ( $search_ad->entries ) {
        my $ad_user_mail = $entry->get_value('mail');
        return $ad_user_mail;

sub _from_dn_to_mail {
    my (@members) = @_;
    my @ad_mail;
    for my $member (@members) {
        push @ad_mail, _get_ad_user_mail($member);
    return @ad_mail;


I mean, it works, but is it normal that it's so slow or am I missing
something very obvious?

Thanks for you input.

Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About