IBM Support

LDAP server limits number of search results based on bind user

Troubleshooting


Problem

In IBM WebSphere Portal, a search for people or groups fails because the LDAP server limits search results for Virtual Member Manager's (VMM) bind distinguished name (bindDN).

Symptom


When the People Finder searches for a person or group, the Directory Search -- Webpage Dialog spawns a pop-up: "Error loading xml string Error 500:"

The SystemOut.log contains the following:

... PickerDataSou W com.ibm.wkplc.people.picker.poc.PickerDataSource getExpiration Implement to enable caching...
... PickerDataSou W com.ibm.wkplc.people.picker.poc.PickerDataSource getLastModified Implement to enable caching...
... exception E com.ibm.ws.wim.adapter.ldap.LdapConnection cloneSearchResults(NamingEnumeration, CachedNamingEnumeration, CachedNamingEnumeration) CWWIM4520E The 'javax.naming.LimitExceededException: [LDAP: error code 11 - Administrative Limit Exceeded]; remaining name 'o=yourorganization'; resolved object com.sun.jndi.ldap.LdapCtx@7b2c7b2c' naming exception occurred during processing.
... exception E com.ibm.ws.wim.adapter.ldap.LdapConnection cloneSearchResults(NamingEnumeration, CachedNamingEnumeration, CachedNamingEnumeration)
com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.LimitExceededException: [LDAP: error code 11 - Administrative Limit Exceeded]; remaining name 'o=yourorganization'; resolved object com.sun.jndi.ldap.LdapCtx@7b2c7b2c' naming exception occurred during processing.

    at
com.ibm.ws.wim.adapter.ldap.LdapConnection.cloneSearchResults(LdapConnection.java:3005)
    at
com.ibm.ws.wim.adapter.ldap.LdapConnection.updateSearchCache(LdapConnection.java:2402)
    at
com.ibm.ws.wim.adapter.ldap.LdapConnection.checkSearchCache(LdapConnection.java:2474)
    at
com.ibm.ws.wim.adapter.ldap.LdapConnection.search(LdapConnection.java:2653)
    at
...

Cause

The "LDAP: error code 11" indicates the following:

* The error originates from the LDAP server and therefore may require assistance from the LDAP administrator to resolve. (Refer to Document #1295558, " 'LDAP: error code ...' messages appear in WebSphere Portal logs").

* The search results exceeded an administrative limit.

Resolving The Problem

Work with your LDAP administrator to adjust the administrative limits on results of searches made by the distinguished name with which VMM binds to the LDAP. Refer to <profile>/config/cells/<cell name>/wim/config/wimconfig.xml for this bindDN:

<config:ldapServers ... bindDN="cn=root" ...>
  <config:connections host="yourldapserver.com" ... /> 
</config:ldapServers>

In the case of the Sun ONE Directory Server LDAP implementation, the following parameter settings for VMM's bindDN should resolve the problem:

nslookthroughlimit=-1
nssizelimit=-1

Related Information

[{"Product":{"code":"SSHRKX","label":"WebSphere Portal"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"VMM - Virtual Member Manager","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"6.1","Edition":"","Line of Business":{"code":"LOB31","label":"WCE Watson Marketing and Commerce"}}]

Document Information

Modified date:
03 December 2021

UID

swg21388805