Policy server fails to start with LDAP_ADMINLIMIT_EXCEEDED when using CA directory as Policy Store

Document ID : KB000007257
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

With CA Directory as Policy Store, The policy server is unable to start with the below message present in the smps log: 

[14787/4099335888][Fri Jun 23 2017 14:28:23][smldaputils.cpp:1540][ERROR][sm-Ldap-01630] Unable to search and fetch more data entries from the Data Store.  LDAP_ADMINLIMIT_EXCEEDED, Error has been detected.  Please re-configure the lookthrough parameter of your Directory Server, as suggested in your "Directory Server Manual" or bind the Directory Server with root dn to overcome this problem.  Ex : For Iplanet / Netscape, bind the Directory Server as "cn=Directory Manager" 

[14787/4099335888][Fri Jun 23 2017 14:28:23][smldaputils.cpp:1541][ERROR][sm-Ldap-01620] Terminating the server/process....

Environment:
CA Direcotry as Policy Store Policy server 12.51, 12.52, 12.6 and 12.7
Cause:

The error seen in the Policy Server smps log file is usually caused by the 'max-op-size' setting on the CA Directory side.

'max-op-size' limits is the number of entries that can be returned by a single search request. This is known as an administrative size limit.

The Policy Server on startup attempts to read all the objects from the policy store to cache the entire store.

If you have a large store, the 'max-op-size' defined can be reached which causes the Policy Server to fail on startup.

The  'max-op-size'  can be found under under the limit config file used by the DSA on the CA Directory side. 

Resolution:

The  'max-op-size'  can be found under under the limit config file used by the DSA on the CA Directory side. it needs to be increased to allow the Policy Server to get all the objects on startup.