How do I remove a member from a large ldap-ad group with over >1500 members

Question

I'm trying to remove a member from a large ldap Active Directory (AD) group. The below code will remove the member if the group is small. However it won't work if it's larger since AD splits the members into multiple range related attributes.

group.removeMember(person.getFullDn());
ldapTemplate.update(group);

I've tried to access those attributes directly using something like the below. IncrementalAttributesMapper allows me to get the list of range related member attributes ie member;Range=0-1499 and I attempt to delete the person from each, but no good. I don't get an error, but the person isn't removed from the group either

DirContextOperations ctx = ldapTemplate.lookupContext(group.getDn());

    IncrementalAttributesMapper<?> attributesMapper = new DefaultIncrementalAttributesMapper("member");
        while (attributesMapper.hasMore()) {

            String[] attributes = attributesMapper.getAttributesForLookup();

            for (String attribute: attributes ) {
                 ldapTemplate.lookup(group.getDn(), attributesMapper.getAttributesForLookup(), attributesMapper);
                    ctx.removeAttributeValue(attribute, person.getDn() );   
                    ldapTemplate.modifyAttributes(ctx);
            }    
        }

Hopefully someone has had more success with this. Thanks in advance!

Answer 1

I've got the solution as posted

I was getting a malformed attribute error until I just realised that the BasicAttribute is expecting String parameters. I was incorrectly passing in a Name object to it.

ldapTemplate.modifyAttributes(group.getDn(), new ModificationItem[] {
            new ModificationItem(
                DirContext.REMOVE_ATTRIBUTE,
                new BasicAttribute("member", person.getFullDn().toString() ))
        });