Forum Problems Installing LAMS: Problem with LDAP (Active Directory) in big organization

Back to Problems Installing LAMS
You may request notification for Problem with LDAP (Active Directory) in big organization.	Search:

	1: Problem with LDAP (Active Directory) in big organization By: Mariusz Górski		06/08/09 06:49 AM	[ Reply \| Forward ]
I have installed LAMS in company, which I work in. We use Active Directory for authorization. There are in organization over 3000 employee. Import of user from LDAP proceeds correctly. However, error appears at attempt of logging. 2009-06-08 14:48:41,410 ERROR [LDAPAuthenticator] ===> LDAP exception: javax.naming.SizeLimitExceededException: [LDAP: error code 4 - Sizelimit Exceeded]; remaining name 'ou=Users,dc=xx,dc=xx' [...] 2009-06-08 14:48:41,418 INFO [UniversalLoginModule] abort Can somebody help this problem solve me? Sorry, for my scratchy english, but I use internet translator. http://www.translate.pl/pl.php4 Posted by Mariusz Górski

	2: Re: Problem with LDAP (Active Directory) in big organization By: Jun-Dir Liew	In response to 1	07/06/09 07:40 PM	[ Reply \| Forward ]
Hi, apologies for the late reply. The problem here is that LAMS has requested a search whose number of results exceeds the value Active Directory is configured to return. In this case, LAMS is doing a search for all users with the username that you typed in when you tried to login. Normally there is only 1 result returned (as usernames are generally unique), but there is a case where you can get more than one: e.g., you try to login as 'guest', and Active Directory contains users 'guest', 'guest01', 'guest02', 'guest03', etc. In this case, there were enough users returned that it hit the SizeLimitExceededException. Can you confirm whether this could have happened to you? i.e. that the username you tried to login with has multiple matches in your Active Directory? A workaround for this error is to increase Active Directory's MaxPageSize - this page has some info, http://support.microsoft.com/?scid=kb%3Ben-us%3B315071&x=8&y=19 If we can confirm that the above was really the problem, we can fix this by implementing paging in the initial search request. Posted by Jun-Dir Liew

	3: Re: Problem with LDAP (Active Directory) in big organization By: Jun-Dir Liew	In response to 1	07/06/09 07:42 PM	[ Reply \| Forward ]
Have you tried the 'Synchronise' button under 'LDAP Configuration' in the SysAdmin menu? Do you get the same error? Posted by Jun-Dir Liew

	4: Re: Re: Problem with LDAP (Active Directory) in big organization By: Mariusz Górski	In response to 3	07/14/09 03:47 PM	[ Reply \| Forward ]
No, I do not have that error if I sync more than 1,000 accounts. Active Directory structure in my company is: OU = Users, OU = [city], DC = xxx, DC = yy where [city] to 14 different localities. If I set the directory to search for DC = xxx, DC = yy I get the error. If I set the directory to search for OU = [city], DC = xxx, DC = yy it synchronizes only the OU. Signing is a little different. If I set the directory to search for DC = xxx, DC = yy I get the error if the account is not returned in the first thousand accounts. If I set the directory to search for OU = [city], DC = xxx, DC = yy you can log into the account belonging to this OU, provided that the account will be returned in the first thousand accounts. I am in the fact that the synchronization and logging occurred when setting the directory to search for DC = xxx, DC = yy Posted by Mariusz Górski

	5: Re: Re: Re: Problem with LDAP (Active Directory) in big organization By: Jun-Dir Liew	In response to 4	07/14/09 08:08 PM	[ Reply \| Forward ]
When logging in, the initial search for your user object should only return one object because usernames should be unique. What's your search filter? It should only need to be something like (sAMAccountName={0}). If you don't pass in the username with the {0}, then Active Directory may be returning more objects than it needs to. Synchronising shouldn't give a SizeLimitExceededException, as far as I know Active Directory supports paging. Could it have been disabled somehow? Posted by Jun-Dir Liew

	6: Re: Re: Re: Re: Problem with LDAP (Active Directory) in big organization By: Mariusz Górski	In response to 5	07/15/09 04:49 AM	[ Reply \| Forward ]
I had set Search Filter (objectCategory=user) Now set to Search Filter (sAMAccountName={0}) and: LDAP server received 104,572 members showed Number of established users in the system: 4351 Number of existing members and altered: 48089 Number of members who have been Excludes: 0 and a lot of errors like: Error processing context result number 31397: null How to set Search Filter (&(objectCategory=user)(sAMAccountName={0})) LDAP server to get 52,599 members showed Number of users created in the system: 0 Number of existing members and altered: 52440 Number of members who have been excluded: 0 and some type of error: Error processing context result number 31397: null Synchronization works for DC=xxx, DC=yy without a OU=[city] It's OK. Posted by Mariusz Górski

	7: Re: Re: Re: Re: Re: Problem with LDAP (Active Directory) in big organization By: Jun-Dir Liew	In response to 6	07/15/09 05:44 PM	[ Reply \| Forward ]
Great, so all is working! The error during processing is not specific in the web interface, but you can generally see why in the lams logs (/path/to/jboss/server/default/log/lams.log). One reason is that AD contains users with whitespace in the username. Posted by Jun-Dir Liew

Reply to first post on this page

Back to Problems Installing LAMS