SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000038844
Applies To
RSA Product Set: RSA SecurID Access
RSA Product/Service Type: Identity Router, Cloud
RSA Product/Service Type: Identity Router, Cloud
Issue
An LDAPv3 identity source appears to be configured correctly and running a test connection to each of its directory servers succeeds. However, Identity Source Synchronization fails.
In the RSA Cloud Administration Console, the following symptoms are observed:
Image description
Image description
In the RSA Cloud Administration Console, the following symptoms are observed:
- Synchronization status reports that Synchronization failed with the reason Unknown cause.
Image description- The System Event Monitor contains an Identity Source Sync event code 2507 with:
Description: Identity source synchronization not completed successfully
Details: Unknown cause
Details: Unknown cause
Image description- The System Log of one of the Identity Routers contains an LDAP error event similar to the following:
ERROR com.rsa.aae.internal.ldap.sync.LDAPSearchExecutor[71] - failed to read data from LDAP
LDAPException(resultCode=4 (size limit exceeded), numEntries=500, numReferences=0, errorMessage='size limit exceeded', ldapSDKVersion=4.0.6, revision=27850')
at com.unboundid.ldap.sdk.LDAPConnection.search(LDAPConnection.java:3734)
Cause
This error occurs when both of the following are true:
- The Root and User Search Filter configured for your identity source returns more users than the maximum number of records allowed by your LDAPv3 directory server in one search query result. The maximum number is 500.
- The Simple Paged Results control is either not enabled in your LDAPv3 directory server, or is not supported by it.
Resolution
Confirm that your LDAPv3 directory server supports the Simple Paged Results control, which is identified by controlType 1.2.840.113556.1.4.319 and enable it.
Workaround
If the Simple Paged Results control is not supported by your LDAPv3 directory server, or cannot be enabled, then Scheduled Synchronization and Manual Synchronization is not possible for that identity source with the current number of users who are returned by the Root and User Search Filter.
One option to workaround this limitation is to use limited synchronization methods:
One option to workaround this limitation is to use limited synchronization methods:
- Scheduled Synchronization should be disabled and Manual Synchronization should not be used, as both fail.
- Just-In-Time Synchronization must be enabled under Company Settings. It is disabled by default. When enabled, Just-In-Time Synchronization applies to all identity sources configured in your RSA Cloud Authentication Service.
- Ongoing, only Just-In-Time Synchronization and Single-User Synchronization can be used to synchronize users in the identity source.
- Use multiple identity source configurations, each with a Root and User Search Filter chosen to represent a different, smaller subset of users. The number of users who are returned for each identity source must always be less than the maximum that your LDAPv3 directory server returns in one search query result (usually 500). Ensure that there is no overlap between subsets (that is, a user does not occur in more than one identity source) and no required users are omitted.
- Copy user records from your existing directory server to a new LDAPv3 directory server that does support and have enabled the Simple Paged Results control, or to Microsoft Active Directory.
In this article
