Symptoms:

When I try to access a protected resource with a user which is member of a group only everything works fine. But, when I try with a user that has more groups access is refused. I tried with user with 4 and 28 groups assigned).

In Policy Server I see the following:
[CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][][][][][][][][LDAP search of (|(&(objectclass=groupOfNames)(member=CN=user,DC=example,DC=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=CN=user,DC=example,DC=com))(&(objectclass=group)(member=CN=user,DC=example,DC=com))) returns LIMIT_EXCEEDED(4) with partial result]
[04/22/2016][14:37:51.904][14:37:51][1952][4256][SmDsLdapProvider.cpp:2395][CSmDsLdapProvider::Search][][][][][][][][][][][][][Sizelimit exceeded][][][][][][(Search) Base: '', Filter: '(|(&(objectclass=groupOfNames)(member=CN=user,DC=example,DC=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=CN=user,DC=example,DC=com))(&(objectclass=group)(member=CN=user,DC=example,DC=com)))'][][Ldap Search callout fails.]

Environment:

Policy Server R12.5 or higher

LDAP User Directory

Cause:

The LDAP query is returning more results than the current LDAP store size limit overpassing it, which is causing the error and therefore the user authentication is rejected. When the user is a member of only one group, the result is not overpassing the limit and this is why it is not failing in this case.

Resolution:

Verify the current max results size limit setting in the LDAP store configuration and increase it.