Unknown cause error and size limit exceeded error when synchronizing LDAPv3 identity source with RSA SecurID Access Cloud Authentication Service

4 years ago

Originally Published: 2020-05-11

Article Number

000040706

Applies To

RSA Product Set: RSA SecurID Access
RSA Product/Service Type: Identity Router, Cloud

Issue

An LDAPv3 identity source appears to be configured correctly and running a test connection to each of its directory servers succeeds. However, Identity Source Synchronization fails.

In the RSA Cloud Administration Console, the following symptoms are observed:

Synchronization status reports that Synchronization failed with the reason Unknown cause.

The System Event Monitor contains an Identity Source Sync event code 2507 with:

Description: Identity source synchronization not completed successfully
Details: Unknown cause

The System Log of one of the Identity Routers contains an LDAP error event similar to the following:

ERROR com.rsa.aae.internal.ldap.sync.LDAPSearchExecutor[71] - failed to read data from LDAP
LDAPException(resultCode=4 (size limit exceeded), numEntries=500, numReferences=0, errorMessage='size limit exceeded', ldapSDKVersion=4.0.6, revision=27850')
at com.unboundid.ldap.sdk.LDAPConnection.search(LDAPConnection.java:3734)

Cause

This error occurs when both of the following are true:

The Root and User Search Filter configured for your identity source returns more users than the maximum number of records allowed by your LDAPv3 directory server in one search query result. The maximum number is 500.
The Simple Paged Results control is either not enabled in your LDAPv3 directory server, or is not supported by it.

Resolution

Confirm that your LDAPv3 directory server supports the Simple Paged Results control, which is identified by controlType 1.2.840.113556.1.4.319 and enable it.

Workaround

If the Simple Paged Results control is not supported by your LDAPv3 directory server, or cannot be enabled, then Scheduled Synchronization and Manual Synchronization is not possible for that identity source with the current number of users who are returned by the Root and User Search Filter.

One option to workaround this limitation is to use limited synchronization methods:

Scheduled Synchronization should be disabled and Manual Synchronization should not be used, as both fail.
Just-In-Time Synchronization must be enabled under Company Settings. It is disabled by default. When enabled, Just-In-Time Synchronization applies to all identity sources configured in your RSA Cloud Authentication Service.
Ongoing, only Just-In-Time Synchronization and Single-User Synchronization can be used to synchronize users in the identity source.

Two alternative options that could be considered include:

Use multiple identity source configurations, each with a Root and User Search Filter chosen to represent a different, smaller subset of users. The number of users who are returned for each identity source must always be less than the maximum that your LDAPv3 directory server returns in one search query result (usually 500). Ensure that there is no overlap between subsets (that is, a user does not occur in more than one identity source) and no required users are omitted.
Copy user records from your existing directory server to a new LDAPv3 directory server that does support and have enabled the Simple Paged Results control, or to Microsoft Active Directory.

Don't see what you're looking for?

Related Articles

Trending Articles