So this was just an issue with saving the strategy? The same configuration should absolutely work in 4.2 - all your users should be able to log in the same way. If need be, simply copy the authentication.conf from your 4.1.7 instance into your 4.2. This config file is under $SPLUNK_HOME/etc/system/local
Our LDAP integration is largely unchanged in 4.2, with the exception of that strategy page. We now perform some extra validation that the configuration you entered will work. This verification involves contacting the LDAP server a few times and performing some basic searches, so any latency in contacting that server would be reflected in the UI when you hit save.
Here is what we now verify for you when you save a strategy (in order):
You can contact the LDAP server and bind given the credentials specified.
All user base DNs specified exist on the server
We can retrieve at least 1 user given the specified username, realname, and groupMapping attributes
All group base DNs specified exist on the server
We can retrieve at least 1 group given the specified groupName and groupMember attributes
Note that the third and fifth checks involve performing a search, which would be subject to size limits. However, we only ask for one entry. So the 'size limit exceeded' is a red herring here; it's just the LDAP server telling Splunk that the search would hit the size limit, even though we only asked for 1 entry. For further information, set ScopedLDAPConnection to debug, which should make it clear exactly what searches we're performing and what's causing the issue. Do this from Manager > System Settings > System Logging
... View more