This article has been archived and is no longer updated by Apple.

Open Directory replication may not work; "Size Limit exceeded" appears in slapd.log

Open Directory replication may not work; when this happens, entries such as the following appear in /var/log/slapd.log

slapd[209]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT (4) Size limit exceeded slapd[209]: do_syncrep2: rid=001 (4) Size limit exceeded

This can occur if an Open Directory server has been down for an extended period of time, or if a replica is created when there are more than 11000 objects in the LDAP datastore. 11000 is the default maximum number of objects that can returned in a search.

Allow the _ldap_replicator user to override the search limit. This is done by changing the LDAP server configuration on every Open Directory server. This involves authenticating as the directory administrator and running some LDAP modification commands in Terminal. The search base, also known as naming context, for the LDAP server also needs to be known.

The following steps can be used to accomplish this.

First, find the search base for the LDAP server

Find the search base for the LDAP server. This is usually the fully qualified domain name of the server with dc= prepended to each label and the periods changed to commas.

For example, a server with hostname server.example.com would have a default search base of “dc=server,dc=example,dc=com”. The search base can be verified by querying the LDAP server itself with the following Terminal command:

ldapsearch -x -LLL -b “” -s base namingContexts

Look for the line containing namingContexts and the search base will be after the colon as in the example output below.

dn: namingContexts: dc=server,dc=example,dc=com

Second, obtain the kerberos credentials for the directory administrator

The default name for this user is diradmin but the name could have been changed when the Open Directory master was created. This is done using the kinit command in Terminal. Run the following command, substituting the correct name for the directory administrator for diradmin if necessary, and enter the password when prompted for it. There is no output.

kinit diradmin

Next, use ldapmodify in interactive mode in Terminal to make the changes. Simply execute the following in Terminal=:

ldapmodify

Note: This will output a few SASL messages and wait for input. On success, the SASL output should look something like this:

SASL/GSSAPI authentication started SASL username: diradmin@REALM SASL SSF: 56 SASL data security layer installed.

Modify the configuration

Lastly, make the modifications to the configuration. This requires all the text below be entered in the Terminal window as input to the ldapmodify command. The search base has to be substituted for [search base] below. The brackets need to be removed also.

dn: olcDatabase={1}bdb,cn=config changetype: modify add: olcLimits olcLimits: dn.exact="uid=_ldap_replicator,cn=users,[search base]" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcLimits olcLimits: dn.exact="uid=_ldap_replicator,cn=users,[search base]" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

Now press Control-D.

If everything is successful, messages such as the following will be displayed.

modifying entry "olcDatabase={1}bdb,cn=config" modifying entry "olcDatabase={2}bdb,cn=config"

Learn more

Shell script alternative

Below is the text of a shell script that can be used to automate this process. Just kinit the directory administrator as above and run this script. See this article for text editor suggestions.

#!/bin/sh nc=`ldapsearch -x -LLL -b "" -s base namingContexts | awk '/namingContexts/ {print $2}'` ldapmodify <<EOF dn: olcDatabase={1}bdb,cn=config changetype: modify add: olcLimits olcLimits: dn.exact="uid=_ldap_replicator,cn=users,$nc" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcLimits olcLimits: dn.exact="uid=_ldap_replicator,cn=users,$nc" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited EOF #end of script

This document will be updated as more information becomes available.

Published Date: