N/APosted on - 05/10/2012
We are trying the authentication of the system for the Active Directory. During the setup we have experienced some problems with it. The Directory has at least 3000 entries on it. The Active Directory can only obtain 1000 data on every search made from the Domain.
This limitation is done to improve performance of the search and to make the search more secured. Now, if the Active Directory would try to fetch more than 1000 records, we would get an error " Active Directory throws an exception (sizelimitexception, LDAP error code 4)." This is the exact error message we get using Plastic SCM:
Authentication server message
The authentication server has exceeded the maximum limit of entries for a single query. Use the search filter at the top right to retrieve fewer entries. Alternatively, enter a user or group name in the bottom textbox.
PLastic SCM Active Directory Error
At this point, there are three possible solutions to get a result:
Close the warning message and specify a filter on the "Filter" textbox from the User Selection dialog. Doing this, Plastic SCM will filter the query to the Active Directory domain, and will retrieve less results than before.
The specified filter has to return less than 1000 results.
Specify a subdomain to the PlasticSCM server configuration instead of the entire Active Directory domain. Doing this, Plastic SCM server will query only for users and groups from the specified subdomain.
If you currently have configured your PlasticSCM server ActiveDirectory's domain to:
"mycompany.com" (or "dc=company,dc=com").
Change it to:
"developers.company.com" (or "dc=developers,dc=company,dc=com").
You can perform this change through the server configuration wizard.
– All the PlasticSCM users must be contained on that subdomain.
– The list of users/group on the subdomain contains less than 1000 entries.
3. Change the Active Directory's limit. You can do that by following this guide from Microsoft's Knowledge base:
https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil(Sections: "Starting Ntdsutil.exe", "Viewing current policy settings" and "Modifying policy settings").
Mainly, the steps are the following:
Run "Ntdsutil.exe" on the Active Directory machine.
At the "Ntdsutil.exe" command prompt, type "LDAP policies".
At the "LDAP policy" command prompt, type "connections".
At the "server connection" command prompt, type "connect to server MYHOST.mydomain.com".
"Connect to server localhost".
"Connect to server ldapserver.archgroup.com".
At the "server connection" command prompt, type "q".
At the "LDAP policy" command prompt, type "Set MaxPageSize to NEW_VALUE".
Example:"Set MaxPageSize to 3000".
At the "LDAP policy" command prompt, type "Commit Changes".
At the "LDAP policy" command prompt, type "q".
At the "Ntdsutil.exe" command prompt,type "q".