search cancel

LIMIT_EXCEEDED(4) with partial result error showing when accessing a resource

book

Article ID: 41796

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Symptoms:

When I try to access a protected resource with a user which is member of a group only everything works fine. But, when I try with a user that has more groups access is refused. I tried with user with 4 and 28 groups assigned).

In Policy Server I see the following:
[CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][][][][][][][][LDAP search of (|(&(objectclass=groupOfNames)(member=CN=user,DC=example,DC=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=CN=user,DC=example,DC=com))(&(objectclass=group)(member=CN=user,DC=example,DC=com))) returns LIMIT_EXCEEDED(4) with partial result]
[04/22/2016][14:37:51.904][14:37:51][1952][4256][SmDsLdapProvider.cpp:2395][CSmDsLdapProvider::Search][][][][][][][][][][][][][Sizelimit exceeded][][][][][][(Search) Base: '', Filter: '(|(&(objectclass=groupOfNames)(member=CN=user,DC=example,DC=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=CN=user,DC=example,DC=com))(&(objectclass=group)(member=CN=user,DC=example,DC=com)))'][][Ldap Search callout fails.]

 

Environment:

Policy Server R12.5 or higher

LDAP User Directory

 

Cause:

The LDAP query is returning more results than the current LDAP store size limit overpassing it, which is causing the error and therefore the user authentication is rejected. When the user is a member of only one group, the result is not overpassing the limit and this is why it is not failing in this case.

 

Resolution:

Verify the current max results size limit setting in the LDAP store configuration and increase it.

 

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component: