Symantec Access Management

 View Only

Tech Tip : CA Single Sign-On : LIMIT_EXCEEDED(4) with partial result error showing when accessing a resource 

May 30, 2017 08:35 AM

Symptoms:

When I try to access a protected resource with a user which is member of a group only everything works fine. But, when I try with a user that has more groups access is refused. I tried with user with 4 and 28 groups assigned).

In Policy Server I see the following:
[CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][][][][][][][][LDAP search of (|(&(objectclass=groupOfNames)(member=CN=user,DC=example,DC=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=CN=user,DC=example,DC=com))(&(objectclass=group)(member=CN=user,DC=example,DC=com))) returns LIMIT_EXCEEDED(4) with partial result]
[04/22/2016][14:37:51.904][14:37:51][1952][4256][SmDsLdapProvider.cpp:2395][CSmDsLdapProvider::Search][][][][][][][][][][][][][Sizelimit exceeded][][][][][][(Search) Base: '', Filter: '(|(&(objectclass=groupOfNames)(member=CN=user,DC=example,DC=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=CN=user,DC=example,DC=com))(&(objectclass=group)(member=CN=user,DC=example,DC=com)))'][][Ldap Search callout fails.]

 

Environment:

Policy Server R12.5 or higher

LDAP User Directory

 

Cause:

The LDAP query is returning more results than the current LDAP store size limit overpassing it, which is causing the error and therefore the user authentication is rejected. When the user is a member of only one group, the result is not overpassing the limit and this is why it is not failing in this case.

 

Resolution:

Verify the current max results size limit setting in the LDAP store configuration and increase it.

 

KD : TEC1244697

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.