2014-02-11 19:59 GMT+01:00 Cyril Grosjean <cgrosjean(a)janua.fr>:
I use a couple of OpenLDAP 2.4.36 servers in a multi-master replication
Write operations are sent to a single server, and then replicated to the
I sometimes have write operations "peaks" of about 900 operations
(modifications of the pwdFailureTime attribute mainly) per hour.
The number of bind failures per user is neither limited nor reset yet and
I especially noticed a script that connects to the directory with the
same service account and (wrong) password. So, until this script is
modified with the right password (which will take time, unfortunately),
it can generate tons of failures, and thus tons of replications.
I noticed a several minutes replication delay between the directories, at
peak time, when comparing the contextCSN attributes.
It looks to me a big delay with regards to the number of modifications.
Anything I could do to limit that delay ?
You may face this bug: http://www.openldap.org/its/index.cgi?findid=7788
To limit pwdFailureTime, you had to attach a password policy to the account
with a max failure number, else number of values will grow over the time.