I'm trying to configure LDAP and am hitting the following error:
ERROR ScopedLDAPConnection - Search for DN 'CN=Users,DC=Domain,DC=Com' gave error: Size limit exceeded
What does this error mean?
Size Limit Exceeded is an LDAP server error indicating that the search request was unable to return all entries due to a limit. The problem encountered is that the users or groups you are looking for may have been in the 1001+ entries and are not being returned.
In AD, the default size limit is typically 1000 entries. The LDAP server error is usually followed by an error indicating the number of entries returned which is a few entries less than the actual size limit. There is nothing you can do to change this limit unless you are the LDAP server administrator.
In Splunk, you can use filters to reduce the number of LDAP entries returned so that you do not hit this limit.
Splunk 7.2 will have ldap pagination to overcome this limit.
Bump. Can't find it either.
Instead of 7.2, LDAP pagination is supported in 7.3
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Authenticationconf
pagelimit =
* OPTIONAL
* The maximum number of entries to return in each page.
* Enables result sets that exceed the maximum number of entries defined for the
LDAP server.
* If set to -1, ldap pagination is off.
* IMPORTANT: The maximum number of entries a page returns is subject to
the maximum page size limit of the LDAP server. For example: If you set 'pagelimit =
5000' and the server limit is 1000, you cannot receive more than 1000 entries in
a page.
* Default: -1
Splunk 7.3 also supports LDAP Range Retrieval ( in case there are too many users in a group).
enableRangeRetrieval =
* OPTIONAL
* The maximum number of values that can be retrieved from one attribute in a
single LDAP search request is determined by the LDAP server. If the number of
users in a group exceeds the LDAP server limit, enabling this setting fetches all
users by using the "range retrieval" mechanism.
* Enables result sets for a given attribute that exceed the maximum number of
values defined for the LDAP server.
* If set to false, ldap range retrieval is off.
* Default: false
Hello 🙂
So your mean, in 7.2x version of splunk the concept of extending the LDAP limit is not possible?
thanks
Is ldap pagination available by now? I haven't found anything regarding this topic in the Splunk release notes
Instead of 7.2, LDAP pagination is supported in 7.3
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Authenticationconf
pagelimit =
* OPTIONAL
* The maximum number of entries to return in each page.
* Enables result sets that exceed the maximum number of entries defined for the
LDAP server.
* If set to -1, ldap pagination is off.
* IMPORTANT: The maximum number of entries a page returns is subject to
the maximum page size limit of the LDAP server. For example: If you set 'pagelimit =
5000' and the server limit is 1000, you cannot receive more than 1000 entries in
a page.
* Default: -1
Splunk 7.3 also supports LDAP Range Retrieval ( in case there are too many users in a group).
enableRangeRetrieval =
* OPTIONAL
* The maximum number of values that can be retrieved from one attribute in a
single LDAP search request is determined by the LDAP server. If the number of
users in a group exceeds the LDAP server limit, enabling this setting fetches all
users by using the "range retrieval" mechanism.
* Enables result sets for a given attribute that exceed the maximum number of
values defined for the LDAP server.
* If set to false, ldap range retrieval is off.
* Default: false
I have the same issue "Warning: LDAP server size limit exceeded" but I can see more than 1000 groups in Splunk(near 1800) and users can Log in.
My LDAP server limit is 5000. I have no Idea where to find solution.
May be this message could be ignore as it is not error but warning.
in 6.2.x,Even increased the size limit to 30000 also,got error message as "LDAP server warning:size limit exceeded".
Is there any otherway,can we increase the limit?
I received this same error on 4.3 I went into Manager > Authentication Method > Configure Splunk to use LDAP and map groups >
On the CLI, you could just edit
OLD: sizelimit = 1000
New: sizelimit = 10000
There used to be a pageSize setting back in the 3.x days (still lives in some of the docs), but it doesnt exist in 4.x, any chance of this being addeed back in?
Size Limit Exceeded is an LDAP server error indicating that the search request was unable to return all entries due to a limit. The problem encountered is that the users or groups you are looking for may have been in the 1001+ entries and are not being returned.
In AD, the default size limit is typically 1000 entries. The LDAP server error is usually followed by an error indicating the number of entries returned which is a few entries less than the actual size limit. There is nothing you can do to change this limit unless you are the LDAP server administrator.
In Splunk, you can use filters to reduce the number of LDAP entries returned so that you do not hit this limit.
I downvoted this post because instead of 7.2, ldap pagination is supported in 7.3
https://docs.splunk.com/documentation/splunk/7.3.0/admin/authenticationconf
pagelimit =
* optional
* the maximum number of entries to return in each page.
* enables result sets that exceed the maximum number of entries defined for the
ldap server.
* if set to -1, ldap pagination is off.
* important: the maximum number of entries a page returns is subject to
the maximum page size limit of the ldap server. for example: if you set 'pagelimit =
5000' and the server limit is 1000, you cannot receive more than 1000 entries in
a page.
* default: -1
Splunk 7.3 also supports ldap range retrieval ( in case there are too many users in a group).
enablerangeretrieval =
* optional
* the maximum number of values that can be retrieved from one attribute in a
single ldap search request is determined by the ldap server. if the number of
users in a group exceeds the ldap server limit, enabling this setting fetches all
users by using the "range retrieval" mechanism.
* enables result sets for a given attribute that exceed the maximum number of
values defined for the ldap server.
* if set to false, ldap range retrieval is off.
* default: false