Am 21.09.20 um 22:09 schrieb Quanah Gibson-Mount: > > > --On Sunday, September 20, 2020 5:29 PM +0200 Stefan Kania > <[email protected]> wrote: > >> first the provider: >> ------------------------- >> dn: olcBackend={0}mdb,cn=config >> objectClass: olcBackendConfig >> olcBackend: {0}mdb > > The above block is generally unnecessary (There is one config > parameter in OpenLDAP 2.5 that requires being set in this block, but > nothing in 2.4).
Ok, but this is from the default setting of the debian packages
>
>> dn: olcDatabase={-1}frontend,cn=config
>> objectClass: olcDatabaseConfig
>> objectClass: olcFrontendConfig
>> olcDatabase: {-1}frontend
>> olcAccess: {0}to * by
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
>> ,cn=auth manage by
>> dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte
>> rnal,cn=auth manage by * break
>> olcAccess: {1}to dn.exact="" by * read
>> olcAccess: {2}to dn.base="cn=subschema" by * read
>> olcSizeLimit: 500
>
> You've set a server sizelimit of 500 entries, but you don't exclude
> the replication user from this limit in the primary db, which is
> invalid. The replication user *must* be able to read both the primary
> and accesslog db on the provider with no sizelimit or timelimit
> restrictions. You have set the limits to unlimited for the accesslog
> db, but haven't handled this for the primary db. See the
> limits/olcLimits directive for how to make it so specific user(s)
> bypass the server limit.
Yes, I know, in the final playbook I will set the limit for the
repl-user and ldap-admin. First step was getting the playbook with
delta-syncrepl running
>
>> dn: olcDatabase={1}mdb,cn=config
>> objectClass: olcDatabaseConfig
>> objectClass: olcMdbConfig
>> olcDatabase: {1}mdb
>
>
>> olcDbCheckpoint: 512 30
>
> As documented in the slapd-mdb(5) man page, the first value in the
> checkpoint parameter does nothing, you can leave it at 0.
Ok, I change this too. This will be a variable to change in the final
version
>
>> olcSpSessionlog: 300
>
> How many total entries do you have in your database? You generally
> need a sessionlog that can hold as many entries as you expect to be
> changed in case of a REFRESH fallback to avoid ITS#8125.
This is just a testsetup it's managed via a variable that can be changed
before running the playbook
>
>> olcToolThreads: 1
>
> Unless you're on a single core, single cpu system, you should set the
> tool threads to 2.
It's just a singel-core vm an my system at home, this one will also be
set via a variable in the final version.
Thank you for the hints.
Stefan
>
> Regards,
> Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre Privatsphäre.
Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html
smime.p7s
Description: S/MIME Cryptographic Signature
