I was trying to setup replication using syncrepl with openldap 2.4.11 on two machines running RHEL 5.0
The provider has approximately 1000 entries in the directory.
On the consumer side, I am getting the following error after synchronization of around 500 records.
Oct 14 16:35:59 osmvm2 slapd2.4[11727]: syncrepl_entry: rid=001 cn=Delfin Labarge,ou=Payroll,dc=example,dc=com Oct 14 16:35:59 osmvm2 slapd2.4[11727]: syncrepl_entry: rid=001 be_add (0) Oct 14 16:35:59 osmvm2 slapd2.4[11727]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT Oct 14 16:35:59 osmvm2 slapd2.4[11727]: do_syncrep2: rid=001 (4) Size limit exceeded
I am using "refreshOnly" syncrepl in the consumer.
The syncrepl user dn is uid=syncrepl,ou=System,dc=example,dc=com
and added this dn as a member to a group called LDAPAdmins (cn=LDAPAdmins,ou=Groups,dc=example,dc=com)
slapd.conf configuration at the consumer end is as follows:
# Replicas running syncrepl as non-rootdn need unrestricted size/time limits: limits group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited
#SyncRepl slave configuration syncrepl rid=001 provider=ldap://16.167.10.25 type=refreshOnly interval=00:00:05:00 searchbase="dc=example,dc=com" binddn="uid=syncrepl,ou=System,dc=example,dc=com" credentials=secret timelimit=unlimited sizelimit=unlimited
slapd.conf configuration at the provider is as follows:
#Global ACL for replication access to * by group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" read by anonymous read
# syncprov index entryCSN,entryUUID eq
# Replicas running syncrepl as non-rootdn need unrestricted size/time limits: limits group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited
# ACL ensuring replicator has write access access to * by group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" write by * read
#syncprov overlay configuration overlay syncprov syncprov-checkpoint 50 10 syncprov-sessionlog 100
Any pointers would be appreciated. If someone needs more information about the environment, please let me know.
Thanks & Regards, Karthik
________________________________________________________________________ You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
Karthik Dathathri a écrit :
I was trying to setup replication using syncrepl with openldap 2.4.11 on two machines running RHEL 5.0
The provider has approximately 1000 entries in the directory.
On the consumer side, I am getting the following error after synchronization of around 500 records.
Oct 14 16:35:59 osmvm2 slapd2.4[11727]: syncrepl_entry: rid=001 cn=Delfin Labarge,ou=Payroll,dc=example,dc=com Oct 14 16:35:59 osmvm2 slapd2.4[11727]: syncrepl_entry: rid=001 be_add (0) Oct 14 16:35:59 osmvm2 slapd2.4[11727]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT Oct 14 16:35:59 osmvm2 slapd2.4[11727]: do_syncrep2: rid=001 (4) Size limit exceeded
I am using "refreshOnly" syncrepl in the consumer.
The syncrepl user dn is uid=syncrepl,ou=System,dc=example,dc=com
and added this dn as a member to a group called LDAPAdmins (cn=LDAPAdmins,ou=Groups,dc=example,dc=com)
slapd.conf configuration at the consumer end is as follows:
# Replicas running syncrepl as non-rootdn need unrestricted size/time limits: limits group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited
AFAIK, this is useless: syncrepl runs as rootdn on consumer side.
#SyncRepl slave configuration syncrepl rid=001 provider=ldap://16.167.10.25 type=refreshOnly interval=00:00:05:00 searchbase="dc=example,dc=com" binddn="uid=syncrepl,ou=System,dc=example,dc=com" credentials=secret timelimit=unlimited sizelimit=unlimited
slapd.conf configuration at the provider is as follows:
#Global ACL for replication access to * by group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" read by anonymous read
# syncprov index entryCSN,entryUUID eq
# Replicas running syncrepl as non-rootdn need unrestricted size/time limits: limits group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited
# ACL ensuring replicator has write access access to * by group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" write by * read
your syncrepl ID doesn't need write access, and if you store password in your directory, they are fully exposed...
None of the above answer your problem, tough.
On Tuesday 14 October 2008 13:18:37 Karthik Dathathri wrote:
I was trying to setup replication using syncrepl with openldap 2.4.11 on two machines running RHEL 5.0
The provider has approximately 1000 entries in the directory.
On the consumer side, I am getting the following error after synchronization of around 500 records.
Oct 14 16:35:59 osmvm2 slapd2.4[11727]: syncrepl_entry: rid=001 cn=Delfin Labarge,ou=Payroll,dc=example,dc=com Oct 14 16:35:59 osmvm2 slapd2.4[11727]: syncrepl_entry: rid=001 be_add (0) Oct 14 16:35:59 osmvm2 slapd2.4[11727]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT Oct 14 16:35:59 osmvm2 slapd2.4[11727]: do_syncrep2: rid=001 (4) Size limit exceeded
I am using "refreshOnly" syncrepl in the consumer.
The syncrepl user dn is uid=syncrepl,ou=System,dc=example,dc=com
and added this dn as a member to a group called LDAPAdmins (cn=LDAPAdmins,ou=Groups,dc=example,dc=com)
slapd.conf configuration at the consumer end is as follows:
This is irrelevant, searches are done against the provider, not the consumer.
# Replicas running syncrepl as non-rootdn need unrestricted size/time limits: limits group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited
#SyncRepl slave configuration syncrepl rid=001 provider=ldap://16.167.10.25 type=refreshOnly interval=00:00:05:00 searchbase="dc=example,dc=com" binddn="uid=syncrepl,ou=System,dc=example,dc=com" credentials=secret timelimit=unlimited sizelimit=unlimited
slapd.conf configuration at the provider is as follows:
#Global ACL for replication access to * by group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" read by anonymous read
So, access to * by * read would work, and you can't be sure that your group is working from the ACLs ....
# syncprov index entryCSN,entryUUID eq
# Replicas running syncrepl as non-rootdn need unrestricted size/time limits: limits group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited
So, if you do a search as your uid=syncrepl DN (with ldapsearch), how many entries do you get, and what result code do you get?
# ACL ensuring replicator has write access
Syncrepl does not require that any replication DN has write access anywhere ...
access to * by group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" write by * read
#syncprov overlay configuration overlay syncprov syncprov-checkpoint 50 10 syncprov-sessionlog 100
Any pointers would be appreciated. If someone needs more information about the environment, please let me know.
It;s possible to test some of your configuration manually, which I would normally do *first* (before configuring the consumer).
Regards, Buchan
Hi Buchan,
Thanks for your response. I will test my configuration manually. May be I would have overlooked some of the configuration directives.
Thanks & Regards, Karthik Dathathri
-----Original Message----- From: Buchan Milne bgmilne@staff.telkomsa.net To: openldap-software@openldap.org Cc: Karthik Dathathri karthikd@aol.in Sent: Mon, 20 Oct 2008 1:47 pm Subject: Re: OpenLDAP 2.4 syncrepl - Size limit exceeded error in consumer end
On Tuesday 14 October 2008 13:18:37 Karthik Dathathri wrote:
I was trying to setup replication using syncrepl with openldap 2.4.11 on two machines running RHEL 5.0
The provider has approximately 1000 entries in the directory.
On the consumer side, I am getting the following error after synchronization of around 500 records.
Oct 14 16:35:59 osmvm2 slapd2.4[11727]: syncrepl_entry: rid=001 cn=Delfin Labarge,ou=Payroll,dc=example,dc=com Oct 14 16:35:59 osmvm2 slapd2.4[11727]: syncrepl_entry: rid=001 be_add (0) Oct 14 16:35:59 osmvm2 slapd2.4[11727]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT Oct 14 16:35:59 osmvm2 slapd2.4[11727]: do_syncrep2: rid=001 (4) Size limit exceeded
I am using "refreshOnly" syncrepl in the consumer.
The syncrepl user dn is uid=syncrepl,ou=System,dc=example,dc=com
and added this dn as a member to a group called LDAPAdmins (cn=LDAPAdmins,ou=Groups,dc=example,dc=com)
slapd.conf configuration at the consumer end is as follows:
This is irrelevant, searches are done against the provider, not the consumer.
# Replicas running syncrepl as non-rootdn need unrestricted size/time limits: limits group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited
#SyncRepl slave configuration syncrepl rid=001 provider=ldap://16.167.10.25 type=refreshOnly interval=00:00:05:00 searchbase="dc=example,dc=com" binddn="uid=syncrepl,ou=System,dc=example,dc=com" credentials=secret timelimit=unlimited sizelimit=unlimited
slapd.conf configuration at the provider is as follows:
#Global ACL for replication access to * by group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" read by anonymous read
So, access to * by * read would work, and you can't be sure that your group is working from the ACLs ....
# syncprov index entryCSN,entryUUID eq
# Replicas running syncrepl as non-rootdn need unrestricted size/time limits: limits group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited
So, if you do a search as your uid=syncrepl DN (with ldapsearch), how many entries do you get, and what result code do you get?
# ACL ensuring replicator has write access
Syncrepl does not require that any replication DN has write access anywhere ...
access to * by group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" write by * read
#syncprov overlay configuration overlay syncprov syncprov-checkpoint 50 10 syncprov-sessionlog 100
Any pointers would be appreciated. If someone needs more information about the environment, please let me know.
It;s possible to test some of your configuration manually, which I would normally do *first* (before configuring the consumer).
Regards, Buchan
________________________________________________________________________ You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
Hi Buchan,
As you mentioned, I tested the configuration manually in the provider:
I removed all the earlier ACL settings in slapd.conf of provider and just added the global ACL below:
access to * by * read
When I ran ldapsearch query using -D "uid=syncrepl,ou=System,dc=example,dc=com" on the provider machine, I am getting the result as:
#ldapsearch2.4 -x -W -D "uid=syncrepl,ou=System,dc=example,dc=com" -b "dc=example,dc=com" mail uid givenName
<Entries Snipped> # search result search: 2 result: 4 Size limit exceeded
# numResponses: 501 # numEntries: 500
Thanks & Regards, Karthik Dathathri
-----Original Message----- From: Buchan Milne bgmilne@staff.telkomsa.net To: openldap-software@openldap.org Cc: Karthik Dathathri karthikd@aol.in Sent: Mon, 20 Oct 2008 1:47 pm Subject: Re: OpenLDAP 2.4 syncrepl - Size limit exceeded error in consumer end
On Tuesday 14 October 2008 13:18:37 Karthik Dathathri wrote:
I was trying to setup replication using syncrepl with openldap 2.4.11 on two machines running RHEL 5.0
The provider has approximately 1000 entries in the directory.
On the consumer side, I am getting the following error after synchronization of around 500 records.
Oct 14 16:35:59 osmvm2 slapd2.4[11727]: syncrepl_entry: rid=001 cn=Delfin Labarge,ou=Payroll,dc=example,dc=com Oct 14 16:35:59 osmvm2 slapd2.4[11727]: syncrepl_entry: rid=001 be_add (0) Oct 14 16:35:59 osmvm2 slapd2.4[11727]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT Oct 14 16:35:59 osmvm2 slapd2.4[11727]: do_syncrep2: rid=001 (4) Size limit exceeded
I am using "refreshOnly" syncrepl in the consumer.
The syncrepl user dn is uid=syncrepl,ou=System,dc=example,dc=com
and added this dn as a member to a group called LDAPAdmins (cn=LDAPAdmins,ou=Groups,dc=example,dc=com)
slapd.conf configuration at the consumer end is as follows:
This is irrelevant, searches are done against the provider, not the consumer.
# Replicas running syncrepl as non-rootdn need unrestricted size/time limits: limits group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited
#SyncRepl slave configuration syncrepl rid=001 provider=ldap://16.167.10.25 type=refreshOnly interval=00:00:05:00 searchbase="dc=example,dc=com" binddn="uid=syncrepl,ou=System,dc=example,dc=com" credentials=secret timelimit=unlimited sizelimit=unlimited
slapd.conf configuration at the provider is as follows:
#Global ACL for replication access to * by group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" read by anonymous read
So, access to * by * read would work, and you can't be sure that your group is working from the ACLs ....
# syncprov index entryCSN,entryUUID eq
# Replicas running syncrepl as non-rootdn need unrestricted size/time limits: limits group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited
So, if you do a search as your uid=syncrepl DN (with ldapsearch), how many entries do you get, and what result code do you get?
# ACL ensuring replicator has write access
Syncrepl does not require that any replication DN has write access anywhere ...
access to * by group="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" write by * read
#syncprov overlay configuration overlay syncprov syncprov-checkpoint 50 10 syncprov-sessionlog 100
Any pointers would be appreciated. If someone needs more information about the environment, please let me know.
It;s possible to test some of your configuration manually, which I would normally do *first* (before configuring the consumer).
Regards, Buchan
________________________________________________________________________ You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
On Wed, Oct 22, 2008 at 11:17 PM, Karthik Dathathri karthikd@aol.in wrote:
Hi Buchan,
As you mentioned, I tested the configuration manually in the provider:
I removed all the earlier ACL settings in slapd.conf of provider and just added the global ACL below:
access to * by * read
When I ran ldapsearch query using -D "uid=syncrepl,ou=System,dc=example,dc=com" on the provider machine, I am getting the result as:
#ldapsearch2.4 -x -W -D "uid=syncrepl,ou=System,dc=example,dc=com" -b "dc=example,dc=com" mail uid givenName
<Entries Snipped> # search result search: 2 result: 4 Size limit exceeded
# numResponses: 501 # numEntries: 500
Why dont you try :
limits dn.exact="uid=syncrepl,ou=System,dc=example,dc=com" size=unlimited time=unlimited
As a test on the provider, maybe your group is not being expanded as you expect.
Group syntax seen elsewhere in this list have looked is more like :
limits group/groupOfUniqueNames/uniqueMember="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited
I'd suggest trying the test again with the dn.exact one first, and if that works then try the other.
Cheers Brett
Brett @Google wrote:
Why dont you try :
limits dn.exact="uid=syncrepl,ou=System,dc=example,dc=com" size=unlimited time=unlimited
As a test on the provider, maybe your group is not being expanded as you expect.
Group syntax seen elsewhere in this list have looked is more like :
The group syntax is already documented in slapd.conf(5). No need to tell what it's "sort of like as seen on this list" - tell precisely what it is.
limits group/groupOfUniqueNames/uniqueMember="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited
As noted in slapd.conf(5) the default objectclass and attribute are groupOfNames and member, respectively. groupOfUniqueNames and uniqueMember are totally bogus in LDAP.
I'd suggest trying the test again with the dn.exact one first, and if that works then try the other.
I think there is a bug in openldap, because I could solve this issue just putting in my slapd.conf:
limits anonymous size.soft=50 size.hard=100 size.unchecked=32767 time.soft=15 time.hard=60 sizelimit unlimited
As you can see, I have to put "sizelimit unlimited" for all users, it is bad.
This follow configuration doesn't work for me either:
limits dn.exact="cn=replicator,dc=domain,dc=com" size.soft=unlimited size.hard=unlimited size.unchecked=unlimited time.soft=unlimited time.hard=unlimited limits users size.soft=50 size.hard=100 limits anonymous size.soft=50 size.hard=50
Citando Howard Chu hyc@symas.com:
Brett @Google wrote:
Why dont you try :
limits dn.exact="uid=syncrepl,ou=System,dc=example,dc=com" size=unlimited time=unlimited
As a test on the provider, maybe your group is not being expanded as you expect.
Group syntax seen elsewhere in this list have looked is more like :
The group syntax is already documented in slapd.conf(5). No need to tell what it's "sort of like as seen on this list" - tell precisely what it is.
limits group/groupOfUniqueNames/uniqueMember="cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited
As noted in slapd.conf(5) the default objectclass and attribute are groupOfNames and member, respectively. groupOfUniqueNames and uniqueMember are totally bogus in LDAP.
I'd suggest trying the test again with the dn.exact one first, and if that works then try the other.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Hi Brett,
I was on a vacation for past few days. That's why I couldn't check my e-mails.Thanks for your tips. Somehow, your e-mail didn't got delivered to my AOL mail Inbox :-(
I checked your mail from openldap-software mailing list archives after seeing reply from Howard.
Both the limits configuration(dn.exact, group/groupOfUniqueNames/uniqueMember) you suggested worked for me like a charm. That was really helpful.
Howard,
I tried the following syntaxes
limits group/groupOfNames/member = "cn=LDAPAdmins,ou=Groups,dc=example,dc=com" size=unlimited time=unlimited
and
limits group/groupOfNames/member.exact="cn=LDAPAdmins,ou=Groups,dc=example,dc=co m" size=unlimited time=unlimited
But, it didn't worked. I was still getting the same "Limit exceeded" error when I tried ldapsearch with -D "uid=synscrepl,ou=System,dc=example,dc=com".
However, the one suggested by Brett
limits group/groupOfUniqueNames/uniqueMember="cn=LDAPAdmins,ou=Groups,dc=example ,dc=com" size=unlimited time=unlimited
worked without any issues.
Thanks & Regards, Karthik Dathathri
-----Original Message----- From: Howard Chu hyc@symas.com To: Brett @Google brett.maxfield@gmail.com Cc: openldap-software@openldap.org Sent: Thu, 23 Oct 2008 5:17 am Subject: Re: OpenLDAP 2.4 syncrepl - Size limit exceeded error in consumer end
Brett @Google wrote:
Why dont you try :
limits dn.exact="uid=syncrepl,ou=System,dc=example,dc=com" size=unlimited time=unlimited
As a test on the provider, maybe your group is not being expanded as
you
expect.
Group syntax seen elsewhere in this list have looked is more like :
The group syntax is already documented in slapd.conf(5). No need to tell what it's "sort of like as seen on this list" - tell precisely what it is.
limits
group/groupOfUniqueNames/uniqueMember="cn=LDAPAdmins,ou=Groups,dc=example ,dc=com"
size=unlimited time=unlimited
As noted in slapd.conf(5) the default objectclass and attribute are groupOfNames and member, respectively. groupOfUniqueNames and uniqueMember are totally bogus in LDAP.
I'd suggest trying the test again with the dn.exact one first, and if that works then try the other.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
________________________________________________________________________ You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
openldap-software@openldap.org
-
Brett @Google -
Buchan Milne -
Guillaume Rousse -
Howard Chu -
Jeronimo Zucco -
Karthik Dathathri