2014-02-11 19:59 GMT+01:00 Cyril Grosjean <cgrosjean@janua.fr>:

I use a couple of OpenLDAP 2.4.36 servers in a multi-master replication setup.
Write operations are sent to a single server, and then replicated to the second one.

I sometimes have write operations "peaks" of about 900 operations (modifications of the pwdFailureTime attribute mainly) per hour.
The number of bind failures per user is neither limited nor reset yet and I especially noticed a script that connects to the directory with the
same service account and (wrong) password. So, until this script is modified with the right password (which will take time, unfortunately),
it can generate tons of failures, and thus tons of replications.

I noticed a several minutes replication delay between the directories, at peak time, when comparing the contextCSN attributes.
It looks to me a big delay with regards to the number of modifications. Anything I could do to limit that delay ?

You may face this bug: http://www.openldap.org/its/index.cgi?findid=7788

To limit pwdFailureTime, you had to attach a password policy to the account with a max failure number, else number of values will grow over the time.