Idea Details

Extended LDAP definition at hub configuration

Last activity 05-29-2019 08:21 PM
Gregor WOLF's profile image
10-28-2016 07:54 AM

In a large UIM environment where hubs are configured with LDAP authentication following errors were seen in hub.log files:

 

LDAP attribute [userPrincipalName] could not be validated and
checking ldap config: ldap_search_ext_s: 'Size limit exceeded'

 

Increasing the size limit by changing MaxPageSize in Active Directory was not recommended by Microsoft (https://technet.microsoft.com/en-us/library/aa998536%28v=exchg.80%29.aspx).

The problem can be avoided by defining a more tightened filter in LDAP Settings of hub configuration:

 

old:
Group Container (DN)
OU=xxxxx,OU=******_Gruppen,OU=Gruppen,OU=******,OU=xxxxxxx,DC=xxxx,DC=******,DC=de
User Container (DN)
OU=Benutzer,OU=******,OU=Ressort,DC=******,DC=xxxx,DC=de

 

new:
Group Container (DN)
OU=xxxx_Sicherheit,OU=_***,OU=xxxxx,OU=******_Gruppen,OU=Gruppen,OU=******,OU=xxxxxxx,DC=xxxx,DC=******,DC=de
User Container (DN)
OU=xxxxxxx_Profile,OU=Benutzer,OU=******,OU=Ressort,DC=******,DC=xxxx,DC=de

 

Unfortunately the new definition limits the user and groups, because actually only one Group/User Container can be defined. It should be possible to define more than one branch, maybe separated by ";" to avoid this limitation.

 

 

Idea opened on customer request.