Security
Highlighted

What is LDAP error: Size Limit Exceeded ?

Champion

I'm trying to configure LDAP and am hitting the following error:

ERROR ScopedLDAPConnection - Search for DN 'CN=Users,DC=Domain,DC=Com' gave error: Size limit exceeded

What does this error mean?

Labels (1)
Tags (3)
Highlighted

Re: What is LDAP error: Size Limit Exceeded ?

Champion

Size Limit Exceeded is an LDAP server error indicating that the search request was unable to return all entries due to a limit. The problem encountered is that the users or groups you are looking for may have been in the 1001+ entries and are not being returned.

In AD, the default size limit is typically 1000 entries. The LDAP server error is usually followed by an error indicating the number of entries returned which is a few entries less than the actual size limit. There is nothing you can do to change this limit unless you are the LDAP server administrator.

In Splunk, you can use filters to reduce the number of LDAP entries returned so that you do not hit this limit.

View solution in original post

Highlighted

Re: What is LDAP error: Size Limit Exceeded ?

Splunk Employee
Splunk Employee

I downvoted this post because instead of 7.2, ldap pagination is supported in 7.3
https://docs.splunk.com/documentation/splunk/7.3.0/admin/authenticationconf

pagelimit =
* optional
* the maximum number of entries to return in each page.
* enables result sets that exceed the maximum number of entries defined for the
ldap server.
* if set to -1, ldap pagination is off.
* important: the maximum number of entries a page returns is subject to
the maximum page size limit of the ldap server. for example: if you set 'pagelimit =
5000' and the server limit is 1000, you cannot receive more than 1000 entries in
a page.
* default: -1

Splunk 7.3 also supports ldap range retrieval ( in case there are too many users in a group).
enablerangeretrieval =
* optional
* the maximum number of values that can be retrieved from one attribute in a
single ldap search request is determined by the ldap server. if the number of
users in a group exceeds the ldap server limit, enabling this setting fetches all
users by using the "range retrieval" mechanism.
* enables result sets for a given attribute that exceed the maximum number of
values defined for the ldap server.
* if set to false, ldap range retrieval is off.
* default: false

0 Karma
Highlighted

Re: What is LDAP error: Size Limit Exceeded ?

Communicator

There used to be a pageSize setting back in the 3.x days (still lives in some of the docs), but it doesnt exist in 4.x, any chance of this being addeed back in?

Highlighted

Re: What is LDAP error: Size Limit Exceeded ?

Path Finder

I received this same error on 4.3 I went into Manager > Authentication Method > Configure Splunk to use LDAP and map groups >

On the CLI, you could just edit /etc/system/local/authentication.conf as follows:
OLD: sizelimit = 1000
New: sizelimit = 10000

Highlighted

Re: What is LDAP error: Size Limit Exceeded ?

Path Finder

in 6.2.x,Even increased the size limit to 30000 also,got error message as "LDAP server warning:size limit exceeded".
Is there any otherway,can we increase the limit?

Highlighted

Re: What is LDAP error: Size Limit Exceeded ?

Contributor

I have the same issue "Warning: LDAP server size limit exceeded" but I can see more than 1000 groups in Splunk(near 1800) and users can Log in.
My LDAP server limit is 5000. I have no Idea where to find solution.
May be this message could be ignore as it is not error but warning.

0 Karma
Highlighted

Re: What is LDAP error: Size Limit Exceeded ?

Splunk Employee
Splunk Employee

Splunk 7.2 will have ldap pagination to overcome this limit.

Highlighted

Re: What is LDAP error: Size Limit Exceeded ?

Engager

Is ldap pagination available by now? I haven't found anything regarding this topic in the Splunk release notes

Highlighted

Re: What is LDAP error: Size Limit Exceeded ?

Splunk Employee
Splunk Employee

Instead of 7.2, LDAP pagination is supported in 7.3
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Authenticationconf

pagelimit =
* OPTIONAL
* The maximum number of entries to return in each page.
* Enables result sets that exceed the maximum number of entries defined for the
LDAP server.
* If set to -1, ldap pagination is off.
* IMPORTANT: The maximum number of entries a page returns is subject to
the maximum page size limit of the LDAP server. For example: If you set 'pagelimit =
5000' and the server limit is 1000, you cannot receive more than 1000 entries in
a page.
* Default: -1

Splunk 7.3 also supports LDAP Range Retrieval ( in case there are too many users in a group).
enableRangeRetrieval =
* OPTIONAL
* The maximum number of values that can be retrieved from one attribute in a
single LDAP search request is determined by the LDAP server. If the number of
users in a group exceeds the LDAP server limit, enabling this setting fetches all
users by using the "range retrieval" mechanism.
* Enables result sets for a given attribute that exceed the maximum number of
values defined for the LDAP server.
* If set to false, ldap range retrieval is off.
* Default: false

0 Karma