- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x
This message is reported in the "Log" > "Box" > "Control" > "phibs.log":
MSAD-Offline-Groups Search for groups on x.x.x.x failed (Size limit exceeded) (bad Active-Directory-configuration?). MSAD-group sync failed
What does it mean?
This messages occurs if the size for the synced authentication group is too big. Microsoft Active Directories limitate the size of its answer of a request to avoid DOS-attacks. The groups will be synced from the BaseDN downward, the answer of your configured BaseDN contains too much data. So the Active Directory only answers with "Size limit exceeded", which is logged in your phibs-log.
You have to set a more specific BaseDN in order to decrease the size.
Bigger request size of groups:BaseDN = OU=de,DC=mydomain,DC=com
Smaller request size of grous:BaseDN = OU=groups,OU=users,OU=de,DC=mydomain,DC=comOn the other side you also can increase on Active Directory side the maximum allowed request size. View this Microsoft-KB-Article how to do this - the concerning parameter ist MaxPageSize. This parameter is per default 1000, so a LDAP-request must not have more than 1000 results. Use NTDSUTIL as described in the article to increase this value.