search cancel

LDAP attribute lookup fails due to query length limit


Article ID: 159665


Updated On:


Data Loss Prevention Enforce


You have configured LDAP custom attribute lookup, but when the lookup runs, the attributes are not populated.


You may see this error when attempting to retrieve certain attributes that have long lists of multiple values, such as the "memberOf" Active Directory attribute, which lists all groups of which a user is a member.

The Tomcat error logs (localhost.[date].log) contain the following error:

SEVERE [] The parameter is too long.  Length cannot exceed 2000 characters.

The response to a query for a single LDAP attribute is limited to a maximum of 2000 characters. If the response exceeds this limit, the lookup fails.

One possible workaround is to use a different LDAP attribute. The best attribute to query depends on how you need to use the custom attributes within DLP. For example, if you want to determine a user's role within the organization, you might use a "department" attribute, rather than group membership. Active Directory also has a "primary group" attribute for each user, which may be useful for some purposes. Consult your Active Directory or LDAP administrator for more information on your specific LDAP implementation.