Following an organizational name change, GlobalProtect users report "Not-Authorized" errors when attempting to connect

• Firewalls are configured to query a single LDAP /LDAPS /Global catalog server
• Users can't connect to GlobalProtect VPN after a User-ID name change in the organization, despite user ID being successfully propagated  on the AD.
• Users are authenticated successfully but user receive an error on the portal "You are not authorized to connect to GlobalProtect Portal" error. 
• On the firewall the following logs are seen.

Useridd.log ( less mp-log useridd.log):

Error: pan_ldap_search(pan_ldap.c:644): Server returned page control in query response before but didn't return this query response
Error: pan_ldap_do_search(pan_ldap.c:1062): pan_ldap_search() failed

System Logs (show log system) For LDAP:

Level: info userid ldap-u connect 0 ldap cfg <Group mapping name> connected to server <servername>:389, initiated by: <IP>
Level: medium userid ldap-u get-lda 0 ldap cfg <Group mapping name> failed to get info from server  <servername>:389

System Logs For LDAPS:

Level: info userid ldap-u connect 0 ldap cfg <Group mapping name> connected to server <servername>:636, initiated by: <IP>
Level: medium userid ldap-u get-lda 0 ldap cfg <Group mapping name> failed to get info from server  <servername>:636

System Logs For Global Catalog:

Level: info userid ldap-u connect 0 ldap cfg <Group mapping name> connected to server <servername>:3269, initiated by: <IP>
Level: medium userid ldap-u get-lda 0 ldap cfg <Group mapping name> failed to get info from server  <servername>:3269

• Palo Alto Firewalls
• Supported PAN-OS
• Group Mapping
• LDAP/ LDAPS /Global Catalog Group mapping 

• The issue stems from the current filters querying a large amount of data, exceeding the LDAP server's default maximum data size.
• An incomplete group-mapping operation occurs when the LDAP server cannot process the full request due to exceeding its size limit.
• This persistent issue arises because the firewall continuously sends bulk queries to the LDAP server, leading the LDAP server to respond with a "Page Control" error message.
• LDAP servers have a default limit on the amount of data they can provide in a single connection. When this limit is reached, the LDAP server will generate an event indicating that it has exceeded the number of result sets it can maintain for a single connection, and a stored result set will be discarded.
• This prevents the LDAP server from delivering the data, and the firewall will experience a "Page Control" error, making it unable to continue a paged LDAP search.

1. Increase the number of query limit by an approximate value and increase their LDAP server capacity(like Vm, CPU, Memory) and see if the issue is resolved, 
2. Configure a more efficient filter on the firewall to query less data.
3. Contact Microsoft team to determine the optimal Maximum Result Set Size value.