Open Directory replication may not work; "Size Limit exceeded" appears in slapd.log
Open Directory replication may not work; when this happens, entries such as the following appear in /var/log/slapd.log
slapd[209]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT (4) Size limit exceeded
slapd[209]: do_syncrep2: rid=001 (4) Size limit exceeded
This can occur if an Open Directory server has been down for an extended period of time, or if a replica is created when there are more than 11000 objects in the LDAP datastore. 11000 is the default maximum number of objects that can returned in a search.
Allow the _ldap_replicator user to override the search limit. This is done by changing the LDAP server configuration on every Open Directory server. This involves authenticating as the directory administrator and running some LDAP modification commands in Terminal. The search base, also known as naming context, for the LDAP server also needs to be known.
The following steps can be used to accomplish this.
First, find the search base for the LDAP server
Find the search base for the LDAP server. This is usually the fully qualified domain name of the server with dc= prepended to each label and the periods changed to commas.
For example, a server with hostname server.example.com would have a default search base of “dc=server,dc=example,dc=com”. The search base can be verified by querying the LDAP server itself with the following Terminal command:
ldapsearch -x -LLL -b “” -s base namingContexts
Look for the line containing namingContexts and the search base will be after the colon as in the example output below.
dn:
namingContexts: dc=server,dc=example,dc=com
Second, obtain the kerberos credentials for the directory administrator
The default name for this user is diradmin but the name could have been changed when the Open Directory master was created. This is done using the kinit command in Terminal. Run the following command, substituting the correct name for the directory administrator for diradmin if necessary, and enter the password when prompted for it. There is no output.
kinit diradmin
Next, use ldapmodify in interactive mode in Terminal to make the changes. Simply execute the following in Terminal=:
ldapmodify
Note: This will output a few SASL messages and wait for input. On success, the SASL output should look something like this:
SASL/GSSAPI authentication started
SASL username: diradmin@REALM
SASL SSF: 56
SASL data security layer installed.
Modify the configuration
Lastly, make the modifications to the configuration. This requires all the text below be entered in the Terminal window as input to the ldapmodify command. The search base has to be substituted for [search base] below. The brackets need to be removed also.
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="uid=_ldap_replicator,cn=users,[search base]" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="uid=_ldap_replicator,cn=users,[search base]" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
Now press Control-D.
If everything is successful, messages such as the following will be displayed.
modifying entry "olcDatabase={1}bdb,cn=config"
modifying entry "olcDatabase={2}bdb,cn=config"
Learn more
Shell script alternative
Below is the text of a shell script that can be used to automate this process. Just kinit the directory administrator as above and run this script. See this article for text editor suggestions.
#!/bin/sh
nc=`ldapsearch -x -LLL -b "" -s base namingContexts | awk '/namingContexts/ {print $2}'`
ldapmodify <<EOF
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="uid=_ldap_replicator,cn=users,$nc" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="uid=_ldap_replicator,cn=users,$nc" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
EOF
#end of script
This document will be updated as more information becomes available.