I am using Splunk (6.2) deployed on Windows 2008 R2.
for some reason the configuration is failing with a "size limit exceeded" error. I turned on DEBUG level logging for ScopedLDAPConnection and it is binding to the LDAP just fine but is breaking on a lookup. The pertinent log entries are included below. I know for a fact that there are less than 30 LDAP objects in total under the configured DN/OU. Why is it throwing this error and how to resolve it is a complete mystery.
10-28-2014 14:39:34.622 -0700 DEBUG ScopedLDAPConnection - strategy="ldaphost" Loading entry attributes for DN="OU=CIS,OU=Staff,OU=WallaWalla,DC=wwcc-domain"
10-28-2014 14:39:34.622 -0700 DEBUG ScopedLDAPConnection - strategy="ldaphost" Attempting to search subtree at DN="OU=CIS,OU=Staff,OU=WallaWalla,DC=wwcc-domain" using filter="(&(objectclass=user)(displayname=)(samaccountname=))"
10-28-2014 14:39:34.622 -0700 DEBUG ScopedLDAPConnection - strategy="ldaphost" Search duration="0 microseconds"
10-28-2014 14:39:34.622 -0700 WARN ScopedLDAPConnection - strategy="ldaphost" LDAP Server returned warning in search for DN="OU=CIS,OU=Staff,OU=WallaWalla,DC=wwcc-domain". reason="Size limit exceeded"
I had already confirmed that only 25 objects would be returned using the LDP.exe utility using the given DN and search filters.
Turns out I had an issue with the 'groupMemberAttribute' setting. I had accidentally pluralized it using 'members' instead of 'member'. Anyway I have a working configuration now and am including a excerpt from the authentication.conf file that was saved.
[TestLDAPStrategy] SSLEnabled = 0 anonymous_referrals = 1 bindDN = CN=o365stu1,OU=someOU1,OU=someOU2,DC=domain bindDNpassword = $password$ charset = utf8 emailAttribute = mail groupBaseDN = OU=Foo,DC=domain groupBaseFilter = (objectclass=group) groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = myHost nestedGroups = 0 network_timeout = 20 port = 389 realNameAttribute = displayname sizelimit = 1000 timelimit = 15 userBaseDN = OU=bar,OU=baz,DC=domain userBaseFilter = (objectclass=user) userNameAttribute = samaccountname [authentication] authSettings = ldaphost,TestLDAPStrategy authType = LDAP
What the filters are depends is wholly dependent on the structure of the LDAP, which is entirely a local affair. A spelling mistake in your selection criteria would have returned different results - as you experienced.
Quite simply - the user search would return more than 1000 entries (as a default). The size limit is a feature of the LDAP service configuration. You need to refine the LDAP query to return a more targetted list of only the users it requires.