diff --git a/changelog/20453.txt b/changelog/20453.txt
new file mode 100644
index 000000000000..e605791bc6b5
--- /dev/null
+++ b/changelog/20453.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/ldap: Set default value for `max_page_size` properly
+```
diff --git a/sdk/helper/ldaputil/client.go b/sdk/helper/ldaputil/client.go
index 470de59f1eb1..c3562a5d406d 100644
--- a/sdk/helper/ldaputil/client.go
+++ b/sdk/helper/ldaputil/client.go
@@ -553,7 +553,7 @@ func (c *Client) GetLdapGroups(cfg *ConfigEntry, conn Connection, userDN string,
 	if cfg.UseTokenGroups {
 		entries, err = c.performLdapTokenGroupsSearch(cfg, conn, userDN)
 	} else {
-		if paging, ok := conn.(PagingConnection); ok && cfg.MaximumPageSize >= 0 {
+		if paging, ok := conn.(PagingConnection); ok && cfg.MaximumPageSize > 0 {
 			entries, err = c.performLdapFilterGroupsSearchPaging(cfg, paging, userDN, username)
 		} else {
 			entries, err = c.performLdapFilterGroupsSearch(cfg, conn, userDN, username)
diff --git a/sdk/helper/ldaputil/config.go b/sdk/helper/ldaputil/config.go
index 0313817aedf4..dfa34daddfd0 100644
--- a/sdk/helper/ldaputil/config.go
+++ b/sdk/helper/ldaputil/config.go
@@ -9,7 +9,6 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"math"
 	"strings"
 	"text/template"
 
@@ -255,8 +254,8 @@ Default: ({{.UserAttr}}={{.Username}})`,
 
 		"max_page_size": {
 			Type:        framework.TypeInt,
-			Description: "The maximum number of results to return for a single paged query. If not set, the server default will be used for paged searches. A requested max_page_size of 0 is interpreted as no limit by LDAP servers. If set to a negative value, search requests will not be paged.",
-			Default:     math.MaxInt32,
+			Description: "If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.",
+			Default:     0,
 		},
 	}
 }
diff --git a/sdk/helper/ldaputil/config_test.go b/sdk/helper/ldaputil/config_test.go
index 1fd96385c3e7..b7fd22ccbb2d 100644
--- a/sdk/helper/ldaputil/config_test.go
+++ b/sdk/helper/ldaputil/config_test.go
@@ -175,7 +175,7 @@ var jsonConfigDefault = []byte(`
   "request_timeout": 90,
   "connection_timeout": 30,
   "dereference_aliases": "never",
-  "max_page_size": 2147483647,
+  "max_page_size": 0,
   "CaseSensitiveNames": false,
   "ClientTLSCert": "",
   "ClientTLSKey": ""
diff --git a/website/content/api-docs/auth/ldap.mdx b/website/content/api-docs/auth/ldap.mdx
index ccb42faf34cb..ba514d2f3e5f 100644
--- a/website/content/api-docs/auth/ldap.mdx
+++ b/website/content/api-docs/auth/ldap.mdx
@@ -35,8 +35,8 @@ This endpoint configures the LDAP auth method.
   names will be normalized to lower case. Case will still be preserved when
   sending the username to the LDAP server at login time; this is only for
   matching local user/group definitions.
-- `connection_timeout` `(integer: 30 or string: "30s")` - Timeout, in seconds, 
-  when attempting to connect to the LDAP server before trying the next URL in 
+- `connection_timeout` `(integer: 30 or string: "30s")` - Timeout, in seconds,
+  when attempting to connect to the LDAP server before trying the next URL in
   the configuration.
 - `request_timeout` `(integer: 90 or string: "90s")` - Timeout, in seconds, for
   the connection when making requests against the server before returning back
@@ -97,11 +97,10 @@ This endpoint configures the LDAP auth method.
 - `dereference_aliases` `(string: never)` - When aliases should be dereferenced
   on search operations. Accepted values are 'never', 'finding', 'searching',
   'always'. Defaults to 'never'.
-- `max_page_size` `(int: math.MaxInt32)` - If set to a value greater than 0, the LDAP
+- `max_page_size` `(int: 0)` - If set to a value greater than 0, the LDAP
   backend will use the LDAP server's paged search control to request pages of
   up to the given size. This can be used to avoid hitting the LDAP server's
-  maximum result size limit. A value of 0 will be interpreted by the LDAP
-  server as unlimited. If set to -1, the LDAP backend will not use the
+  maximum result size limit. Otherwise, the LDAP backend will not use the
   paged search control.
 
 @include 'tokenfields.mdx'
diff --git a/website/content/docs/auth/ldap.mdx b/website/content/docs/auth/ldap.mdx
index cabb3769eb42..1e515d48058f 100644
--- a/website/content/docs/auth/ldap.mdx
+++ b/website/content/docs/auth/ldap.mdx
@@ -156,7 +156,7 @@ Use `vault path-help` for more details.
 ### Other
 
 - `username_as_alias` (bool, optional) - If set to true, forces the auth method to use the username passed by the user as the alias name.
-- `max_page_size` (int, optional) - The maximum number of results to return for a single LDAP query. This is useful for preventing large queries from being run against the LDAP server. The default is the maximum value for an int32.
+- `max_page_size` (int, optional) - If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.
 
 ## Examples:
 
diff --git a/website/content/docs/upgrading/upgrade-to-1.11.x.mdx b/website/content/docs/upgrading/upgrade-to-1.11.x.mdx
index e9d70c358993..f288e7af1a92 100644
--- a/website/content/docs/upgrading/upgrade-to-1.11.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.11.x.mdx
@@ -27,4 +27,19 @@ API path by setting the [bool config option](/vault/api-docs/secret/databases/el
 
 @include 'raft-retry-join-failure.mdx'
 
-@include 'tokenization-rotation-persistence.mdx'
\ No newline at end of file
+@include 'tokenization-rotation-persistence.mdx'
+
+### LDAP Pagination Issue
+
+There was a regression introduced in 1.11.10 relating to LDAP maximum page sizes, resulting in
+an error `no LDAP groups found in groupDN [...] only policies from locally-defined groups available`.  The issue
+occurs when upgrading Vault with an instance that has an existing LDAP Auth configuration.
+
+As a workaround, disable paged searching using the following:
+```shell-session
+vault write auth/ldap/config max_page_size=-1
+```
+
+#### Impacted Versions
+
+Affects Vault 1.11.10.
diff --git a/website/content/docs/upgrading/upgrade-to-1.12.x.mdx b/website/content/docs/upgrading/upgrade-to-1.12.x.mdx
index ede60be52da7..7cd1387e14f8 100644
--- a/website/content/docs/upgrading/upgrade-to-1.12.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.12.x.mdx
@@ -152,7 +152,7 @@ It will produce errors in Vault Server's logs such as:
   error=
   | 1 error occurred:
   | 	* panic generating audit log
-  | 
+  |
 ```
 
 As a workaround, [listing plugins by type](/vault/api-docs/system/plugins-catalog#list-plugins-1)
@@ -184,3 +184,18 @@ Affects version 1.12.3. A fix will be released in 1.12.4.
 @include 'tokenization-rotation-persistence.mdx'
 
 @include 'ocsp-redirect.mdx'
+
+### LDAP Pagination Issue
+
+There was a regression introduced in 1.12.6 relating to LDAP maximum page sizes, resulting in
+an error `no LDAP groups found in groupDN [...] only policies from locally-defined groups available`.  The issue
+occurs when upgrading Vault with an instance that has an existing LDAP Auth configuration.
+
+As a workaround, disable paged searching using the following:
+```shell-session
+vault write auth/ldap/config max_page_size=-1
+```
+
+#### Impacted Versions
+
+Affects Vault 1.12.6.
diff --git a/website/content/docs/upgrading/upgrade-to-1.13.x.mdx b/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
index aa97f70fcf5d..764a0f850440 100644
--- a/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
@@ -107,6 +107,20 @@ accommodates the default minimum duration of an STS token and overrides the defa
 
 Affects Vault 1.13.0 only.
 
+### LDAP Pagination Issue
+
+There was a regression introduced in 1.13.2 relating to LDAP maximum page sizes, resulting in
+an error `no LDAP groups found in groupDN [...] only policies from locally-defined groups available`.  The issue
+occurs when upgrading Vault with an instance that has an existing LDAP Auth configuration.
+
+As a workaround, disable paged searching using the following:
+```shell-session
+vault write auth/ldap/config max_page_size=-1
+```
+
+#### Impacted Versions
+
+Affects Vault 1.13.2.
 
 ### PKI Cross-Cluster Revocation Requests and Unified CRL/OCSP