Pinniped with LDAP Error "Size Limit Exceeded"

[HamzaZo]

Hello,

I'm trying to configure our LDAP with Pinniped and when I try to authenticate, I'm getting error searching for user: LDAP Result Code 4 \"Size Limit Exceeded\": This search operation has sent the maximum of 2 entries to the client

Any idea why I'm getting this error? even though in groupSearch I filter by group

[cfryanr]

Hi @HamzaZo,

When an end-user tries to authenticate via LDAP by typing their username and password into the Pinniped-generated CLI prompt (or Pinniped Supervisor login web UI prompt), then Pinniped performs several LDAP queries to check if that user has authenticated successfully and then to discover their group memberships.

The first query is to find the user record in LDAP based on the username that the end-user typed. The settings that control this "user search" query are in the LDAPIdentityProvider (or ActiveDirectoryIdentityProvider) spec.userSearch. These settings are documented here.

I can see that this user search is the query that is failing for you, because your error message starts with "error searching for user". Therefore, your group search settings are not yet involved, because group search happens only after user search has successfully found the user record.

Pinniped expects that user search query to return exactly one user record for any valid username. If the search returned zero user records, then perhaps the user mistyped their username, or perhaps there is no account for that username, so that will naturally result in an error. However, if the search returns more than one user record, then it is almost certain that you have made a mistake in your spec.userSearch settings, which allowed the search to find more than one matching user record. You'll need to adjust your search criteria so that the user search can only result in exactly one matching record for any valid username. Your user search configuration must not result in ambiguous searches.

Just as an example, your user search approach cannot be "search for any user record which has a uid value that contains the username string typed by the end-user as a substring". When an end-user types the username example then that could be either the user record where uid is example1 or it could be the user record where the uid is example2, so this creates an ambiguous search configuration. In that example, Pinniped cannot determine which user is attempting to authenticate, so there is no sensible way for Pinniped to allow that authentication to proceed. In this example, you could fix your user search configuration settings by adjusting them to search for exact matches rather than substring matches.

Please let me know if that helps.