I’m trying to query an OKTA LDAP Directory server via webmin’s ldap-client module against OKTA’s external LDAP interface Service, and there are more than 1000 users for the results which breaks the query results stating “SizeLimit Exceeded” error. The issue is still present even if I limit the scope, as there are well over 1000 results just based on an ‘uid’ attribute alone. I can query the OKTA LDAP Directory successfully using the command line tools of ldapsearch, nslcd or Apache Virtual Directory. Those tools support the feature to instruct the OKTA ldap server (or any ldap server) to return results 1000 users at a time until all objects have displayed vs asking the server to send me all results without a limit, thus breaking the connection, results with a Sizelimit Exceeded error.
I dug into the issue, and it turns out that the Webmin LDAP-Client only uses Perl’s Net::LDAP library to query/authenticate to LDAP Servers; however, it does not have the ability to ask servers to limit its results via page limits. This would be where the Net::LDAP::Control::Paged module would fix this issue. The module which can get around the size limit requirements.
OKTA’s Known Limitation LDAP Interface FAQ:
- The server allows a page size of 1000 entries. If the size of the result exceeds the page size, an LDAP error code is returned. For a large result set, use Simple Pagination Control. See
Net::LDAP::Control::Paged - LDAPv3 Paged results control object - metacpan.org)%20only.
The ldapsearch command below works using the “-E pr=1000/noprompt” argument tells the server to limit the return results to 1000 at a time, until complete.
ldaps://companydomainhere.ldap.okta.com:636 -D “uid=ldap_Admin_usAR,ou=users,dc=companydomain,dc=okta,dc=com” -W -x -b ou=users,dc=companydomain,dc=okta,dc=com -E pr=1000/noprompt “(&(mail=ron.davis@companydomain.com)(givenName=ron*))”
This is the Apache Directory Studio Defaults showing you can put the limits for the page requests too
Not sure how to fix this, but I’d appreciate anyone’s help to solve it.
I setup nslcd on my system to query the OKTA LDAP Directory server, and I also had to use a limit option of “pagesize 1000” in /etc/nslcd.conf for it to work as well.
This is what I see when I set “pagesize 1001” followed by running getent passwd
nslcd: [7b23c6] <passwd(all)> ldap_result() failed: Size limit exceeded
This is what I see when I set “pagesize 1000” followed by running getent passwd
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_result(): … 1817 more results
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_result(): end of results (1827 total)
Thanks!
| SYSTEM INFORMATION | |
|---|---|
| Ubuntu Linux 22.04.2 | REQUIRED |
| Webmin 2.021 | REQUIRED |