We used something that returned a smaller number of users, and now everything works. Evidently, AD has default limit of 1,000 entries at a time.
The spring framework calls the native java LDAP methods
public void search(SearchExecutor se, NameClassPairCallbackHandler handler, DirContextProcessor processor) {
DirContext ctx = this.contextSource.getReadOnlyContext();
NamingEnumeration results = null;
RuntimeException ex = null;
try {
results = se.executeSearch(ctx);
while (results.hasMore()) {
NameClassPair result = (NameClassPair)results.next();
handler.handleNameClassPair(result);
}
This eventually makes it to the core LDAP libraries, which doesn’t like the following…
private void getNextBatch()
throws NamingException {
this.res = this.homeCtx.getSearchReply(this.enumClnt, this.res);
if (this.res == null) {
this.limit = (this.posn = 0);
return;
}
this.entries = this.res.entries;
this.limit = (this.entries == null ? 0 : this.entries.size());
this.posn = 0;
if ((this.res.status != 0) || ((this.res.status == 0) && (this.res.referrals != null))) {
try {
this.homeCtx.processReturnCode(this.res, this.listArg);
}
catch (LimitExceededException localLimitExceededException) {
setNamingException(localLimitExceededException);
}
WeI found some hits for changing to count limit to something very high, but our needs were met with simply reducing the LDAP search scope, as mostly privileged admin accounts (few in number) need to be added to Ambari, anyway.