This is a known, yet modifiable, behavior of the Layer 7 Policy Manager and the Layer 7 Gateway. This behavior exists to avoid impacting the performance and availability of the Gateway. By returning an LDAP entry with a very large number of associated groups, the Gateway could be intentionally or incidentally overwhelmed.
To avoid this, the Gateway comes pre-configured with an upper limit of 50 group memberships that are cached and returned for use in the Gateway. This can be an undesirable limitation when 50 groups are returned but the 51st group is the necessary group for authentication, for example.
All supported versions of the CA API Gateway
You may run into some of the following symptoms which may be due to the cap on group memberships returned in a query.
Within the logging mechanisms of the Gateway, a log entry may be encountered that appears as follows:
INFO: Capping group membership for user 'uid=xxxxx,ou=xxxxx,dc=xxxxx,dc=com' at 50
Oct 3, 2012 12:08:22 PM 44 com.l7tech.server.identity.ldap.LdapUserManagerImpl
INFO: User:uid=xxxxx,ou=xxxxx,dc=xxxxx,dc=com authenticated successfully in provider External Identity Provider
Oct 3, 2012 12:08:22 PM 44 com.l7tech.server.admin.AdminSessionManager
INFO: Authentication failed on External Identity Provider: xxxxx does not have privilege to access administrative services
Oct 3, 2012 12:08:22 PM 44 com.l7tech.server
WARNING: Failed admin login for login 'xxxxx'
Note in the above that the user is authenticated properly, but does not receive proper authorization. Additionally, you can see that the group membership for a specific DN was limited to 50. In this circumstance, the 50 cached group memberships did not serve to authorize "License Officer" to access the Layer 7 Policy Manager.
To adjust this behavior, you need to adjust the following cluster-wide properties to a higher number than 50:
You will need to determine, experimentally, what an ideal value is for your environment. Depending on the structure and information within the target LDAP, it is not recommended that you set these values overly large or larger than is necessary. Additionally, you will need to reboot each Gateway in the cluster after changing these values.
To set this value:
Once set and the appliance has restarted, attempt to log in as the user that failed previously. It should succeed without any complications.