When trying to access a protected resource with a user which is a member of a group only everything works fine. But, when trying with a user that has more groups access is refused. (The test has been done with a user belonging to 4 and 28 groups).

In the Policy Server, the following shows up:

[CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][][][][][][][][LDAP search of (|(&(objectclass=groupOfNames)(member=CN=user,DC=example,DC=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=CN=user,DC=example,DC=com))(&(objectclass=group)(member=CN=user,DC=example,DC=com))) returns LIMIT_EXCEEDED(4) with partial result]
[04/22/2016][14:37:51.904][14:37:51][1952][4256][SmDsLdapProvider.cpp:2395][CSmDsLdapProvider::Search][][][][][][][][][][][][][Sizelimit exceeded][][][][][][(Search) Base: '', Filter: '(|(&(objectclass=groupOfNames)(member=CN=user,DC=example,DC=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=CN=user,DC=example,DC=com))(&(objectclass=group)(member=CN=user,DC=example,DC=com)))'][][Ldap Search callout fails.]

Policy Server R12.5 or higher

LDAP User Directory

The LDAP query is returning more results than the current LDAP store size limit going over it, which is causing the error and therefore the user authentication is rejected.

When the user is a member of only one group, the result is not going over the limit and this is why it is not failing in this case.

Verify the current max results size limit setting in the LDAP store configuration and increase it.