--On Sunday, September 20, 2020 5:29 PM +0200 Stefan Kania
<[email protected]> wrote:
first the provider:
-------------------------
dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}mdb
The above block is generally unnecessary (There is one config parameter in
OpenLDAP 2.5 that requires being set in this block, but nothing in 2.4).
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte
rnal,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcSizeLimit: 500
You've set a server sizelimit of 500 entries, but you don't exclude the
replication user from this limit in the primary db, which is invalid. The
replication user *must* be able to read both the primary and accesslog db
on the provider with no sizelimit or timelimit restrictions. You have set
the limits to unlimited for the accesslog db, but haven't handled this for
the primary db. See the limits/olcLimits directive for how to make it so
specific user(s) bypass the server limit.
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbCheckpoint: 512 30
As documented in the slapd-mdb(5) man page, the first value in the
checkpoint parameter does nothing, you can leave it at 0.
olcSpSessionlog: 300
How many total entries do you have in your database? You generally need a
sessionlog that can hold as many entries as you expect to be changed in
case of a REFRESH fallback to avoid ITS#8125.
olcToolThreads: 1
Unless you're on a single core, single cpu system, you should set the tool
threads to 2.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
