KB 140034 LDAP Error “sizeLimitExceeded” on LDAP Error Summary

KB 140034 LDAP Error “sizeLimitExceeded” on  LDAP Error Summary
KB 140034
LDAP Error “sizeLimitExceeded” on LDAP Error
“sizeLimitExceeded” on IDENTIKEY Appliance.
Creation date: 24/03/2010
Last Review: 11/12/2012
Document type: Known-Issue
Revision number: 3
Security status: EXTERNAL
Summary
IDENTIKEY Appliance can be configured to sync the users with AD, it will then query
the AD user objects via LDAP.
In large environments, with lots of user objects in AD, these queries can return the
LDAP error sizeLimitExceeded, and not all objects are returned.
Problem symptoms / details.
When you configure LDAP Backend synchronization on the Identifier it is possible that
you get the error “Synchronization error: LDAP error sizeLimitExceeded”.
The error will be logged in the IDENTIKEY Appliance syslog.
You can check the syslog by browsing to https://x.x.x.x/configtool and selecting the
option “Logging” from the Menu:
This problem occurs because Active Directory limits the maximum number of search
results to 1000. When there are more user objects, the LDAP synchronization fails.
This behavior can have 2 causes:
• Client Settings: the client which is used to query the LDAP database has a
result size limit. This depends on which client is used.
• LDAP Server Settings: by default in Microsoft Active Directory the query limit is
set to 1000 objects per request.
Applies to: IDENTIKEY Appliance
KB 140034 – 24/03/2010
© 2010 VASCO Data Security. All rights reserved.
Page 1 of 4
Problem Solution.
The following LDAP entry needs to be changed in Active Directory:
CN=Default Query Policy, CN=Query-Policies, CN=Directory Service, CN=Windows NT,
CN=Services, CN=Configuration, DC=YOUR_COMPANY, DC=YOUR_COMPANY_TLD
The parameter in Active Directory can be changed in different ways, using
NTDSUtil.exe utility or using the ADSI Edit Snap-in.
•
Using ADSI Edit.
This is the easiest method to change the parameter.
o
Open the ADSIEDIT MMC and connect to the Configuration Naming context.
o
Go to the LDAP entry to be modified
(CN=Default Query Policy, CN=Query-Policies, CN=Directory Service,
CN=Windows NT, CN=Services, CN=Configuration, DC=YOUR_COMPANY,
DC=YOUR_COMPANY_TLD).
o
View the properties of CN=Default Query Policy, the following screen will
appear.
Double-click on the attribute lDapAdminLimits to edit it.
o
Click on MaxPageSize and remove the entry:
Applies to: IDENTIKEY Appliance
KB 140034 – 24/03/2010
© 2010 VASCO Data Security. All rights reserved.
Page 2 of 4
o
Add the Value MaxPageSize again with the desired value (3000 in our
example) and press the Add button:
o
Press the OK button. The entry will be changed in Active Directory.
Applies to: IDENTIKEY Appliance
KB 140034 – 24/03/2010
© 2010 VASCO Data Security. All rights reserved.
Page 3 of 4
•
Using Ntdsutil.exe.
For more information on Ntdsutil please check the following Microsoft KB article:
How to view and set LDAP policy in Active Directory by using Ntdsutil.exe
http://support.microsoft.com/?kbid=315071
Applies to: IDENTIKEY Appliance
KB 140034 – 24/03/2010
© 2010 VASCO Data Security. All rights reserved.
Page 4 of 4
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising