One user cannot login Gateway with LDAP authentication and other users can login normally.

1. Remove the user from most of the groups 
OR 2. Leave LDAP server setting "Group Attribute" blank, not "memberof", then ADC will not extract Group information from AD server

---

Problem Cause

From aaad.debug, we can see group length is very large and error code is 4003.

There is a limit to the number of characters that can be returned in an LDAP access query. The users with a large number of groups involved hit the limit. 

Fri Jan  8 14:59:37 2021
 /home/build/rs_111_60_8_RTM/usr.src/netscaler/aaad/ldap_drv.c[489]: receive_ldap_user_search_event For user yuyq, group stringLength 10289

/home/build/rs_111_60_8_RTM/usr.src/netscaler/aaad/ldap_common.c[191]: ns_ldap_timeout_handler ldap server time out, sending error
Fri Jan  8 14:59:40 2021
 /home/build/rs_111_60_8_RTM/usr.src/netscaler/aaad/naaad.c[2915]: send_reject_with_code Not trying cascade again
Fri Jan  8 14:59:40 2021
 /home/build/rs_111_60_8_RTM/usr.src/netscaler/aaad/naaad.c[2917]: send_reject_with_code sending reject to kernel for : yuyq
Fri Jan  8 14:59:40 2021
 /home/build/rs_111_60_8_RTM/usr.src/netscaler/aaad/naaad.c[2921]: send_reject_with_code Rejecting with error code 4003

 

There are two issues related when a user is part of large AD groups.

Upgrade ADC to ns 12.1-59.16 or ns 13.0-67.39 or above to fix issue given in NSHELP-22959

The other issue is that user has AD groups exceeding 32K limit and nested group extraction configured.

At the first level we received 18K+ len group info, now before sending next level group extraction there is timeout because constructing packet is taking a long time due to the number of groups.

So, the issue is the next level group search filter, if you bind a user with no nested groups or less nested groups, it works.

We recommend to disable nested group extraction for a user having high AD groups.