--On May 2, 2014 at 6:01:02 PM -0700 "Paul B. Henson" firstname.lastname@example.org wrote:
I've been testing the password policy module lately. I updated our development LDAP infrastructure Monday, basically loading and enabling the module, adding a default policy:
This explains why the accesslog was running out of space, it was full of these. It doesn't explain why the slapd process exploded in memory use, unless I suppose the steady-state memory usage of a slapd this busy processing replication is higher than one that's not quite so busy.
But I'm confused as to why loading the password policy module, for an account with a policy configured to pretty much not do anything, results in a modification of the CSN for every authentication?
I'm going to go peruse the source code to see if I can determine what's going on, but any expert opinions would be most welcome.
I would suggest (if you haven't) enabling sync replication logging (loglevel sync) in addition to whatever other loglevels you have. I've found it is possible to send MMR into an endless loop in some cases recently. I'm still working on the reproduction case for it, but it happens 100% of the time for a client of ours eventually.