[Date Prev][Date Next] [Chronological] [Thread] [Top]

help needed for further investigation



Hello together. I am the heir of a setup based on RHEL 6.10 and Openldap 2.4.45 (ltb)
A master syncrepls to a slave in type=refreshOnly using bindmethod=sasl, saslmech=external.

The mapped techuser resides in ou=ServiceUser. All Clients also use user objects in the same ou to bind to the servers.

I need to set new acls and decided to include a dedicated acl- and limits-configfile. The ACLs checked via slapacl look fine and run without problems on the test environment. (Which is based on the same 2.4.45 rpms, but the replica runs on RHEL 7.5)

All slapd configuration make use of database mdb and an explicitly set maxsize. (which is sized sufficiently: 12 GB, 49 MB used)

When implementing the configuration on a running system, the replica deletes the ou (that one with all the service user objects).
Which is not what I want 
8-/

How can I find out more about the reason for this peculiar result?
I set the loglevel to 'stats sync' on the replica and 'sync' on the master. (fs size is limited for logs)
The access limits are in place for this replication account and read access is granted as well. (might be I need to set something extra for operational attributes?)
limits dn.subtree="ou=ServiceUser,..."
        size=unlimited
(this is the replica)
sizelimit unlimited
timelimit 10
and
limits dn.subtree="ou=ServiceUser,..."
        size=unlimited
        time=120
(in this order, this is the master)
What do I need to look at to find what's missing? I am no openldap crack, but no newbie as well. Yet my openldap knowledge ist not very extended.

Which further infos do I need to supply to maybe get help?

The include statements for limits and acls are defined before the database configuration.
I avoid using dynamic configuration to keep it all simple.

Overlays in use:
chain
dynlist
valsort
memberof
ppolicy
(replica)

syncprov
ppolicy
unique
dynlist
memberof
refint
valsort
(master)

Thank you,
Thomas