- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Re: LDAP Size Limit
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LDAP Size Limit
Hi all,
I know this has been covered before here, but I'm still struggling with it. How do we tell Splunk to return more than 1000 users per LDAP strategy. I've tried increasing the size limit and the max number of precache users, but that hasn't helped.
For example, I have a strategy right now that's filtering for 4 groups with a total number of users (nested) at about 1200. My size limit for the strategy is 5,000 and precahce users is 10,000. But I'm still receiving the Size Limit warning in my logs for that strategy.
And I know the size limit configuration mentions "The number actually returned is subject to the limit imposed by the LDAP server." But that just doesn't make sense to me. Every other technology that queries AD can get around those limits. I feel like Splunk should be able to as well.
Is there something I'm missing or just not understanding? It's frustrating because we just have to keep creating more and more strategies. If that's the only way, then that's what we'll do (assuming every group has less than 1000 members). But I hope there's another way now or will be in the future.
We are currently on Splunk 6.0
Thanks for any insight!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk support basically told me to increase the limit on our AD servers, which is not an option for a large enterprise. Besides, that just introduces extra load on the AD servers for all the other queries.
We are still having the same problem. I tried manually editing the authentication.conf to add the group mapping for the 8000 user group, but users are still unable to login. Debugging the LDAP logging did not help.
That pageSize option needs to be reintroduced back into Splunk. Most other apps have that to accommodate for this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got my support contact to agree to submit an ER for this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exactly, we don't really have that option to increase the limit in AD. I wish Splunk worked like most other apps I've dealt with in the past (still need to open enhancement request). In a nutshell:
Just check AD when a user tries to log in. If the user should have access, check to see if their account exists. If they should but not created in Splunk yet, create it then. If it does exist, verify roles/etc based on current membership and update splunk account accordingly.
There's no need query AD for every user at once...especially if you're unwilling to modify the page size.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume you are using Active Directory. You will want to change MaxPageSize. Default is 1000.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
antlefebvre, it may be Splunk's only solution. But my scripts (powershell, vbscript, kix, etc) can all bring back more than 1000 objects per search. So speaking of Active Directory in general, it's not the only solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is absurd that Splunk has not ldap pagining....To modify AD in a complex architecture can make damage on performance and other application; also i do not have administration of AD ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It isn't a solution, it is THE solution. You will run into that issue if you use an LDAP browser or any other tool that requires LDAP integration. You need to fix it from the LDAP server, not the LDAP client.
Try downloading Softerra LDAP Browser. Query your OUs/groups that have over 1000 members and you will see the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand that is a solution, but it's not going to happen in our environment. And if that is Splunk's only solution, then I need to open an ehancement request, because they need to improve the way they do ldap integration.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm in a problem like this from days, so i asked to windows administrators to change maximun page size on Active Directory and now i'm waiting for this. However it is a vary strange regression of Splunk ...In 3.x version it was present a pageSize directive for ldap pagining search.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
