Max length of LDAP attribute in queries to Active Directory?

Hi all,

I'm working with multiple Active Directory domains (same forest) containing users, but the APM I'm configuring does not have access to any global catalog servers. An APM policy is configured to authorize users from any of the domains by checking for their membership in a universal group, which exists in one domain. The APM is permitted to reach domain controllers in that one domain.

To perform authorization, we bind to the group in an LDAP Query action and check the member attribute in a branch rule with the following expression:

expr { [string tolower "[mcget {session.ldap.last.attr.member}]"] contains [string tolower "[mcget {session.logon.last.username}]"] }

My question is, is there a limit to the size of the response along the way, in case the membership of the group grows quite large? I'm unaware of any specific limits on LDAP responses, but want to check on the AD and F5 sides. Might the domain controller truncate its response at a certain size, might the F5 truncate the response received above a certain point, or might I run into issues if the size of the member attribute is too large to grep/"contains" for my username?

Short of gaining access to a global catalog (which is not an option in the short term) and binding to users to check memberOf, or checking all three domain controllers in a cascading/waterfall configuration, are there any other alternatives you have seen to accomplish this?

Thanks, Chris