Security

What is LDAP error: Size Limit Exceeded ?

the_wolverine
Champion

I'm trying to configure LDAP and am hitting the following error:

ERROR ScopedLDAPConnection - Search for DN 'CN=Users,DC=Domain,DC=Com' gave error: Size limit exceeded

What does this error mean?

Labels (1)
Tags (3)
1 Solution

the_wolverine
Champion

Size Limit Exceeded is an LDAP server error indicating that the search request was unable to return all entries due to a limit. The problem encountered is that the users or groups you are looking for may have been in the 1001+ entries and are not being returned.

In AD, the default size limit is typically 1000 entries. The LDAP server error is usually followed by an error indicating the number of entries returned which is a few entries less than the actual size limit. There is nothing you can do to change this limit unless you are the LDAP server administrator.

In Splunk, you can use filters to reduce the number of LDAP entries returned so that you do not hit this limit.

View solution in original post

hrawat_splunk
Splunk Employee
Splunk Employee

Splunk 7.2 will have ldap pagination to overcome this limit.

hettervi
Builder

Bump. Can't find it either.

0 Karma

hrawat_splunk
Splunk Employee
Splunk Employee

Instead of 7.2, LDAP pagination is supported in 7.3
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Authenticationconf

pagelimit =
* OPTIONAL
* The maximum number of entries to return in each page.
* Enables result sets that exceed the maximum number of entries defined for the
LDAP server.
* If set to -1, ldap pagination is off.
* IMPORTANT: The maximum number of entries a page returns is subject to
the maximum page size limit of the LDAP server. For example: If you set 'pagelimit =
5000' and the server limit is 1000, you cannot receive more than 1000 entries in
a page.
* Default: -1

Splunk 7.3 also supports LDAP Range Retrieval ( in case there are too many users in a group).
enableRangeRetrieval =
* OPTIONAL
* The maximum number of values that can be retrieved from one attribute in a
single LDAP search request is determined by the LDAP server. If the number of
users in a group exceeds the LDAP server limit, enabling this setting fetches all
users by using the "range retrieval" mechanism.
* Enables result sets for a given attribute that exceed the maximum number of
values defined for the LDAP server.
* If set to false, ldap range retrieval is off.
* Default: false

Gowthamdevaraj
New Member

Hello 🙂

So your mean, in 7.2x version of splunk the concept of extending the LDAP limit is not possible?

thanks

0 Karma

lucassilber
Engager

Is ldap pagination available by now? I haven't found anything regarding this topic in the Splunk release notes

hrawat_splunk
Splunk Employee
Splunk Employee

Instead of 7.2, LDAP pagination is supported in 7.3
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Authenticationconf

pagelimit =
* OPTIONAL
* The maximum number of entries to return in each page.
* Enables result sets that exceed the maximum number of entries defined for the
LDAP server.
* If set to -1, ldap pagination is off.
* IMPORTANT: The maximum number of entries a page returns is subject to
the maximum page size limit of the LDAP server. For example: If you set 'pagelimit =
5000' and the server limit is 1000, you cannot receive more than 1000 entries in
a page.
* Default: -1

Splunk 7.3 also supports LDAP Range Retrieval ( in case there are too many users in a group).
enableRangeRetrieval =
* OPTIONAL
* The maximum number of values that can be retrieved from one attribute in a
single LDAP search request is determined by the LDAP server. If the number of
users in a group exceeds the LDAP server limit, enabling this setting fetches all
users by using the "range retrieval" mechanism.
* Enables result sets for a given attribute that exceed the maximum number of
values defined for the LDAP server.
* If set to false, ldap range retrieval is off.
* Default: false

0 Karma

andrey2007
Contributor

I have the same issue "Warning: LDAP server size limit exceeded" but I can see more than 1000 groups in Splunk(near 1800) and users can Log in.
My LDAP server limit is 5000. I have no Idea where to find solution.
May be this message could be ignore as it is not error but warning.

0 Karma

viswanathsd
Path Finder

in 6.2.x,Even increased the size limit to 30000 also,got error message as "LDAP server warning:size limit exceeded".
Is there any otherway,can we increase the limit?

lisaac
Path Finder

I received this same error on 4.3 I went into Manager > Authentication Method > Configure Splunk to use LDAP and map groups >

On the CLI, you could just edit /etc/system/local/authentication.conf as follows:
OLD: sizelimit = 1000
New: sizelimit = 10000

adamw
Communicator

There used to be a pageSize setting back in the 3.x days (still lives in some of the docs), but it doesnt exist in 4.x, any chance of this being addeed back in?

the_wolverine
Champion

Size Limit Exceeded is an LDAP server error indicating that the search request was unable to return all entries due to a limit. The problem encountered is that the users or groups you are looking for may have been in the 1001+ entries and are not being returned.

In AD, the default size limit is typically 1000 entries. The LDAP server error is usually followed by an error indicating the number of entries returned which is a few entries less than the actual size limit. There is nothing you can do to change this limit unless you are the LDAP server administrator.

In Splunk, you can use filters to reduce the number of LDAP entries returned so that you do not hit this limit.

hrawat_splunk
Splunk Employee
Splunk Employee

I downvoted this post because instead of 7.2, ldap pagination is supported in 7.3
https://docs.splunk.com/documentation/splunk/7.3.0/admin/authenticationconf

pagelimit =
* optional
* the maximum number of entries to return in each page.
* enables result sets that exceed the maximum number of entries defined for the
ldap server.
* if set to -1, ldap pagination is off.
* important: the maximum number of entries a page returns is subject to
the maximum page size limit of the ldap server. for example: if you set 'pagelimit =
5000' and the server limit is 1000, you cannot receive more than 1000 entries in
a page.
* default: -1

Splunk 7.3 also supports ldap range retrieval ( in case there are too many users in a group).
enablerangeretrieval =
* optional
* the maximum number of values that can be retrieved from one attribute in a
single ldap search request is determined by the ldap server. if the number of
users in a group exceeds the ldap server limit, enabling this setting fetches all
users by using the "range retrieval" mechanism.
* enables result sets for a given attribute that exceed the maximum number of
values defined for the ldap server.
* if set to false, ldap range retrieval is off.
* default: false

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...