Getting Data In

Why is LDAP authentication failing with "size limit exceeded" errors using Splunk 6.2 on Windows 2008 R2?

caija
Engager

I am using Splunk (6.2) deployed on Windows 2008 R2.

for some reason the configuration is failing with a "size limit exceeded" error. I turned on DEBUG level logging for ScopedLDAPConnection and it is binding to the LDAP just fine but is breaking on a lookup. The pertinent log entries are included below. I know for a fact that there are less than 30 LDAP objects in total under the configured DN/OU. Why is it throwing this error and how to resolve it is a complete mystery.

10-28-2014 14:39:34.622 -0700 DEBUG ScopedLDAPConnection - strategy="ldaphost" Loading entry attributes for DN="OU=CIS,OU=Staff,OU=WallaWalla,DC=wwcc-domain"
10-28-2014 14:39:34.622 -0700 DEBUG ScopedLDAPConnection - strategy="ldaphost" Attempting to search subtree at DN="OU=CIS,OU=Staff,OU=WallaWalla,DC=wwcc-domain" using filter="(&(objectclass=user)(displayname=)(samaccountname=))"
10-28-2014 14:39:34.622 -0700 DEBUG ScopedLDAPConnection - strategy="ldaphost" Search duration="0 microseconds"
10-28-2014 14:39:34.622 -0700 WARN ScopedLDAPConnection - strategy="ldaphost" LDAP Server returned warning in search for DN="OU=CIS,OU=Staff,OU=WallaWalla,DC=wwcc-domain". reason="Size limit exceeded"

caija
Engager

I had already confirmed that only 25 objects would be returned using the LDP.exe utility using the given DN and search filters.

Turns out I had an issue with the 'groupMemberAttribute' setting. I had accidentally pluralized it using 'members' instead of 'member'. Anyway I have a working configuration now and am including a excerpt from the authentication.conf file that was saved.

[TestLDAPStrategy]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=o365stu1,OU=someOU1,OU=someOU2,DC=domain
bindDNpassword = $password$
charset = utf8
emailAttribute = mail
groupBaseDN = OU=Foo,DC=domain
groupBaseFilter = (objectclass=group)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = myHost
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = OU=bar,OU=baz,DC=domain
userBaseFilter = (objectclass=user)
userNameAttribute = samaccountname

[authentication]
authSettings = ldaphost,TestLDAPStrategy
authType = LDAP
0 Karma

grijhwani
Motivator

What the filters are depends is wholly dependent on the structure of the LDAP, which is entirely a local affair. A spelling mistake in your selection criteria would have returned different results - as you experienced.

0 Karma

grijhwani
Motivator

Quite simply - the user search would return more than 1000 entries (as a default). The size limit is a feature of the LDAP service configuration. You need to refine the LDAP query to return a more targetted list of only the users it requires.

Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...