--On Sunday, September 20, 2020 5:29 PM +0200 Stefan Kania stefan@kania-online.de wrote:
first the provider:
dn: olcBackend={0}mdb,cn=config objectClass: olcBackendConfig olcBackend: {0}mdb
The above block is generally unnecessary (There is one config parameter in OpenLDAP 2.5 that requires being set in this block, but nothing in 2.4).
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte rnal,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcSizeLimit: 500
You've set a server sizelimit of 500 entries, but you don't exclude the replication user from this limit in the primary db, which is invalid. The replication user *must* be able to read both the primary and accesslog db on the provider with no sizelimit or timelimit restrictions. You have set the limits to unlimited for the accesslog db, but haven't handled this for the primary db. See the limits/olcLimits directive for how to make it so specific user(s) bypass the server limit.
dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb
olcDbCheckpoint: 512 30
As documented in the slapd-mdb(5) man page, the first value in the checkpoint parameter does nothing, you can leave it at 0.
olcSpSessionlog: 300
How many total entries do you have in your database? You generally need a sessionlog that can hold as many entries as you expect to be changed in case of a REFRESH fallback to avoid ITS#8125.
olcToolThreads: 1
Unless you're on a single core, single cpu system, you should set the tool threads to 2.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com