Tech Tip : CA Single Sign-On : LIMIT_EXCEEDED(4) with partial result error showing when accessing a resource

Document created by Albert_Fernandez Employee on May 30, 2017
Version 1Show Document
  • View in full screen mode

Symptoms:

When I try to access a protected resource with a user which is member of a group only everything works fine. But, when I try with a user that has more groups access is refused. I tried with user with 4 and 28 groups assigned).

In Policy Server I see the following:
[CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][][][][][][][][LDAP search of (|(&(objectclass=groupOfNames)(member=CN=user,DC=example,DC=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=CN=user,DC=example,DC=com))(&(objectclass=group)(member=CN=user,DC=example,DC=com))) returns LIMIT_EXCEEDED(4) with partial result]
[04/22/2016][14:37:51.904][14:37:51][1952][4256][SmDsLdapProvider.cpp:2395][CSmDsLdapProvider::Search][][][][][][][][][][][][][Sizelimit exceeded][][][][][][(Search) Base: '', Filter: '(|(&(objectclass=groupOfNames)(member=CN=user,DC=example,DC=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=CN=user,DC=example,DC=com))(&(objectclass=group)(member=CN=user,DC=example,DC=com)))'][][Ldap Search callout fails.]

 

Environment:

Policy Server R12.5 or higher

LDAP User Directory

 

Cause:

The LDAP query is returning more results than the current LDAP store size limit overpassing it, which is causing the error and therefore the user authentication is rejected. When the user is a member of only one group, the result is not overpassing the limit and this is why it is not failing in this case.

 

Resolution:

Verify the current max results size limit setting in the LDAP store configuration and increase it.

 

KD : TEC1244697

Attachments

    Outcomes