Am 21.09.20 um 22:09 schrieb Quanah Gibson-Mount:
--On Sunday, September 20, 2020 5:29 PM +0200 Stefan Kania stefan@kania-online.de wrote:
first the provider:
dn: olcBackend={0}mdb,cn=config objectClass: olcBackendConfig olcBackend: {0}mdb
The above block is generally unnecessary (There is one config parameter in OpenLDAP 2.5 that requires being set in this block, but nothing in 2.4).
Ok, but this is from the default setting of the debian packages
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte rnal,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcSizeLimit: 500
You've set a server sizelimit of 500 entries, but you don't exclude the replication user from this limit in the primary db, which is invalid. The replication user *must* be able to read both the primary and accesslog db on the provider with no sizelimit or timelimit restrictions. You have set the limits to unlimited for the accesslog db, but haven't handled this for the primary db. See the limits/olcLimits directive for how to make it so specific user(s) bypass the server limit.
Yes, I know, in the final playbook I will set the limit for the repl-user and ldap-admin. First step was getting the playbook with delta-syncrepl running
dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb
olcDbCheckpoint: 512 30
As documented in the slapd-mdb(5) man page, the first value in the checkpoint parameter does nothing, you can leave it at 0.
Ok, I change this too. This will be a variable to change in the final version
olcSpSessionlog: 300
How many total entries do you have in your database? You generally need a sessionlog that can hold as many entries as you expect to be changed in case of a REFRESH fallback to avoid ITS#8125.
This is just a testsetup it's managed via a variable that can be changed before running the playbook
olcToolThreads: 1
Unless you're on a single core, single cpu system, you should set the tool threads to 2.
It's just a singel-core vm an my system at home, this one will also be set via a variable in the final version.
Thank you for the hints.
Stefan
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com