Title: TKG 2.3 Standalone Management Cluster and LDAP Result Code 4 \"Size Limit Exceeded\"
search cancel

Title: TKG 2.3 Standalone Management Cluster and LDAP Result Code 4 \"Size Limit Exceeded\"

book

Article ID: 331341

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid

Issue/Introduction

Symptoms:
  • TKG 2.3 Standalone Management Cluster LDAP configuration (using Pinniped) that were working on previous versions of TKG (prior to 2.3) no longer work, and Pinniped Supervisor pod logs indicate something like the following:
 

"message":"unexpected error during upstream LDAP authentication","warning":true,"error":"error searching for user: LDAP Result Code 4 \"Size Limit Exceeded\": ",


 




Cause

TKG 2.3 Standalone Management Cluster LDAP configuration uses Pinniped for all versions of TKG. In TKG 2.2 Standalone Management Cluster and before, Pinniped used Dex to perform all interaction with the LDAP server. Starting in TKG 2.3 Standalone Management Cluster,, Pinniped directly interacts with the LDAP server, and Dex as an LDAP shim is no longer used..

 

This means that user and group queries may require some changes to be compatible with the Pinniped LDAP configuration. See resolution.


Users who experience this error likely have upgraded their cluster but have missed a step in adjusting their Pinniped configuration.  Following the documentation carefully will generate a new Pinniped package secret that will result in a correct configuration.

Resolution

Review the upgrade steps documented in the TKG 2.3 Standalone Management Cluster documentation to see if changes are required.

  https://docs.vmware.com/en/VMware-Tanzu-Kubernetes-Grid/2.3/tkg-deploy-mc/mgmt-deploy-config-ref.html#identity-management-ldap  (search for pinniped format)

Additional Information

TKG 2.3 Standalone Management Cluster Release Notes