"message":"unexpected error during upstream LDAP authentication","warning":true,"error":"error searching for user: LDAP Result Code 4 \"Size Limit Exceeded\": ",

• When you try to login to your identity provider , you will observe following error :

VMware Tanzu Kubernetes Grid 2.x

Tanzu Kubernetes Grid 2.x

TKG 2.3 Standalone Management Cluster LDAP configuration uses Pinniped for all versions of TKG. In TKG 2.2 Standalone Management Cluster and before, Pinniped used Dex to perform all interaction with the LDAP server.

Starting in TKG 2.3 Standalone Management Cluster, Pinniped directly interacts with the LDAP server, and Dex as an LDAP shim is no longer used.This means that user and group queries may require some changes to be compatible with the Pinniped LDAP configuration. See resolution.

Users who experience this error likely have upgraded their cluster but have missed a step in adjusting their Pinniped configuration. Following the documentation carefully will generate a new Pinniped package or add-on secret that will result in a correct configuration.

Based on TKGm 2.3.x release notes , LDAP_USER_SEARCH_FILTER and LDAP_GROUP_SEARCH_FILTER must be set in the format used by Pinniped. Please follow below steps :

1) Get the pinniped secret from your management cluster. 

kubectl get secret <mgmt-cluster-name>-pinniped-addon -n <namespace-name> -o yaml 

2) Copy "values.yaml" section from the   "<mgmt-cluster-name>-pinniped-addon" secret and decode the "values.yaml".

echo <xxxx-xxxx-values.yaml> | base64 -d 

3) Save the contents in a file , named as "values.yaml" only .

4) Change the LDAP format in newly created  "values.yaml" .

Note: The preceding log excerpts are only examples. The LDAP configuration may vary depending on your environment.

5) Pinniped package reconciliation is succeeded and users are able to login to their clusters.