Hi all,
I can not apply a limits directive to my slapd.conf. I need a user (cn=replicator,ou=AppUsers,dc=company,dc=net) to have read access to all entries of a database. The global sizelimits ( 1000) seems to override any other database directive. Each ldapsearch returns a " 4 Size limit exceeded".
openldap version : 2.4.42 here is a sample of my slapd.conf
... # Define global ACLs to disable default read access.
sizelimit 1000 timelimit 5
tool-threads 8
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
####################################################################### # database definitions #######################################################################
######################################### # Directories DATABASE ######################################### database mdb suffix "ou=Directories,dc=company,dc=net" subordinate checkpoint 1024 5 dbnosync maxsize 10737418240 envflags writemap rootdn "cn=admin,dc=company,dc=net"
# Mode 700 recommended. directory /var/lib/openldap/ldap
# acl authz-regexp uid=([^,]*),cn=digest-md5,cn=auth ldap:///ou=company,dc=company,dc=net??sub?(&(objectclass=psnDirectoryContact)(cli=sipdefault:$1))
access to * by dn.exact="cn=replicator,ou=AppUsers,dc=company,dc=net" write by * break
...........
access to dn.sub="ou=AppUsers,dc=company,dc=net" attrs=userpassword by anonymous auth by * none
# Indices to maintain index cn,dc,sn,uid,mail,telephoneNumber pres,eq,sub index arecord,description eq index objectClass,macAddress,custID,locationID,zoneGroupPrefix,entryUUID,entryCSN pres,eq
# Sync Repl overlay syncprov # all standard entries in the accesslog that were successful syncrepl rid=0 provider=ldap:// bindmethod=simple binddn="cn=user,ou=login,cn=system" credentials=secret searchbase="ou=Directories,dc=company,dc=net" logbase="cn=accesslog_directories" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
#limits limits dn.exact="cn=replicator,ou=AppUsers,dc=company,dc=net" size=unlimited time=unlimited
....
thanks in advance.
You have shown us what the syncrepl, sizelimit and limits look like on your consumer. Have you got that limits directive also set up on your provider? It is the provider that needs to allow your replication DN to obtain unlimited entries.
Hello Frank,
Nope, the limits directive are unlimited on the provider.
First of all, I need to have access to all of the entries on the consumers , in order to check EntryCSN between provider and consumers. I use the python script : check_syncrepl_extended that needs to bind provider and consumer via the same dn. That's why I could not use rootdn . ( not the same between slapd servers) .
thank you
Le 26/07/2016 à 19:09, Frank Swasey a écrit :
You have shown us what the syncrepl, sizelimit and limits look like on your consumer. Have you got that limits directive also set up on your provider? It is the provider that needs to allow your replication DN to obtain unlimited entries.
Am Mon, 25 Jul 2016 13:23:50 +0200 schrieb Maily Peng mpeng@keyyo.com:
Hi all,
I can not apply a limits directive to my slapd.conf. I need a user (cn=replicator,ou=AppUsers,dc=company,dc=net) to have read access to all entries of a database. The global sizelimits ( 1000) seems to override any other database directive. Each ldapsearch returns a " 4 Size limit exceeded".
[...]
read slapd.conf(5), section GENERAL DATABASE OPTIONS
within a database declaration you may set
limits dn.base=cn=replicator,..... size=unlimited time=unlimited
and within a syncrepl configuration sizelimit=unlimited timelimit=unlimited
Note that syncrepl is a ldap client, thus some parameters from ldap.conf(5) might be applicable.
-Dieter
openldap-technical@openldap.org
-
Dieter Klünter -
Frank Swasey -
Maily Peng