I am using Splunk (6.2) deployed on Windows 2008 R2.
for some reason the configuration is failing with a "size limit exceeded" error. I turned on DEBUG level logging for ScopedLDAPConnection and it is binding to the LDAP just fine but is breaking on a lookup. The pertinent log entries are included below. I know for a fact that there are less than 30 LDAP objects in total under the configured DN/OU. Why is it throwing this error and how to resolve it is a complete mystery.
10-28-2014 14:39:34.622 -0700 DEBUG ScopedLDAPConnection - strategy="ldaphost" Loading entry attributes for DN="OU=CIS,OU=Staff,OU=WallaWalla,DC=wwcc-domain"
10-28-2014 14:39:34.622 -0700 DEBUG ScopedLDAPConnection - strategy="ldaphost" Attempting to search subtree at DN="OU=CIS,OU=Staff,OU=WallaWalla,DC=wwcc-domain" using filter="(&(objectclass=user)(displayname=)(samaccountname=))"
10-28-2014 14:39:34.622 -0700 DEBUG ScopedLDAPConnection - strategy="ldaphost" Search duration="0 microseconds"
10-28-2014 14:39:34.622 -0700 WARN ScopedLDAPConnection - strategy="ldaphost" LDAP Server returned warning in search for DN="OU=CIS,OU=Staff,OU=WallaWalla,DC=wwcc-domain". reason="Size limit exceeded"
... View more