• When the user attempts to log in to the controller with LDAP credentials, the following error will be encountered:

• In the controller's /var/lib/avi/log/portal-auth.log file, the error 'size limit exceeded' will be seen when attempting to authorize the user from the LDAP server.

By default, Active Directory (AD) searches in Microsoft Entra ID (formerly Azure AD) are limited to a maximum of 1,000 records to mitigate the risk of potential DDoS attacks. Although this limit can be increased, it is implemented as a security feature by design.

1. Narrow the LDAP Group Search Scope on Auth Profile of configured on the controller: Limit the LDAP group search scope to return only the necessary group lists.

For example, use a filter like:"ou=dtest, ou=entest, DC=entest, DC=test, DC=bank, DC=corp" to narrow down the search to specific organizational units (OUs) and domains.

2. Increase the Size Limit on the LDAP Server: If needed, increase the default size limit on the LDAP server to allow for more records to be returned in a search. However, this should be done with caution to avoid performance and security concerns.

3. Reduce the Number of Groups the User is a Member Of: Limit the number of groups the user is a member of in Active Directory. The fewer groups the user belongs to, the less data will be returned in the LDAP search, reducing the chances of hitting size limits