2014-02-11 19:59 GMT+01:00 Cyril Grosjean <[email protected]>: > > I use a couple of OpenLDAP 2.4.36 servers in a multi-master replication > setup. > Write operations are sent to a single server, and then replicated to the > second one. > > I sometimes have write operations "peaks" of about 900 operations > (modifications of the pwdFailureTime attribute mainly) per hour. > The number of bind failures per user is neither limited nor reset yet and > I especially noticed a script that connects to the directory with the > same service account and (wrong) password. So, until this script is > modified with the right password (which will take time, unfortunately), > it can generate tons of failures, and thus tons of replications. > > I noticed a several minutes replication delay between the directories, at > peak time, when comparing the contextCSN attributes. > It looks to me a big delay with regards to the number of modifications. > Anything I could do to limit that delay ? > > > You may face this bug: http://www.openldap.org/its/index.cgi?findid=7788
To limit pwdFailureTime, you had to attach a password policy to the account with a max failure number, else number of values will grow over the time. Clément.
