We are using Splunk 6.3.2 with a LDAP strategy (FreeIPA) which contains the following users and groups:
In other words:
Splunk's user database shows only "mike" with the role "admin". The role "user" will never be used, even not for "mike". "joe" doesn't appear as well.
This is our configuration:
[authentication] authSettings = freeipa authType = LDAP [roleMap_freeipa] admin = app_splunk_admin user = app_splunk_user [freeipa] SSLEnabled = 0 anonymous_referrals = 0 bindDN = uid=splunk,cn=users,cn=accounts,dc=example,dc=com bindDNpassword = topsecret charset = utf8 emailAttribute = mail groupBaseDN = cn=groups,cn=accounts,dc=example,dc=com groupBaseFilter = (cn=app_splunk_*) groupMappingAttribute = memberof groupMemberAttribute = member groupNameAttribute = cn host = freeipa.example.com nestedGroups = 1 network_timeout = 20 port = 389 realNameAttribute = cn sizelimit = 1000 timelimit = 15 userBaseDN = cn=users,cn=accounts,dc=example,dc=com userBaseFilter = (memberOf=cn=app_splunk_user,cn=groups,cn=accounts,dc=example,dc=com) userNameAttribute = uid
These two lines from splunkd.log are interesting (sizelimit is "1000" at both ends, but Splunk still sends LDAP subtree requests with a sizelimit of 1):
01-20-2016 17:00:04.725 +0100 WARN ScopedLDAPConnection - strategy="freeipa" LDAP Server returned warning in search for DN="cn=users,cn=accounts,dc=example,dc=com". reason="Size limit exceeded" 01-20-2016 17:00:04.729 +0100 WARN ScopedLDAPConnection - strategy="freeipa" LDAP Server returned warning in search for DN="cn=groups,cn=accounts,dc=example,dc=com". reason="Size limit exceeded"
Is there more than 1000 users in the Base DN you have configured?
The error in SplunkD log looks like its searching your BASE DN of CN="cn=users,cn=accounts,dc=example,dc=com" and maybe not using the filter at all?
Size Limit Exceeded is an LDAP server error indicating that the search request was unable to return all entries due to a limit. The problem encountered is that the users or groups you are looking for may have been in the 1001+ entries and are not being returned.
In AD, the default size limit is typically 1000 entries. The LDAP server error is usually followed by an error indicating the number of entries returned which is a few entries less than the actual size limit. There is nothing you can do to change this limit unless you are the LDAP server administrator.
In Splunk, you can use filters to reduce the number of LDAP entries returned so that you do not hit this limit. Is there a typo in your filter at all? This page has some good examples http://blogs.splunk.com/2009/10/01/ldap-basefilter-examples/