The only place we tell the Sockbuf layer that we have a max size is here:

{{{
Connection_Table *
connection_table_new(int table_size)
...
ber_len_t maxbersize = config_get_maxbersize();
}}}
this should be moved before the loop - no reason to do this inside the loop
{{{
ber_sockbuf_ctrl( ct->c[i].c_sb, LBER_SB_OPT_SET_MAX_INCOMING, &maxbersize );
}}}

Will be tricky to do this dynamically and have it apply to all open connections. Would prefer to do it only for new connections:
{{{
handle_new_connection()
...
ber_sockbuf_add_io( conn->c_sb, &openldap_sockbuf_io,
LBER_SBIOD_LEVEL_PROVIDER, conn );
...
ber_len_t maxbersize = config_get_maxbersize();
ber_sockbuf_ctrl( conn->c_sb, LBER_SB_OPT_SET_MAX_INCOMING, &maxbersize );
}}}

Fix description: Based on the proposal made by rmeggins@redhat.com
in the ticket #542, this patch sets maxbersize every time before
reading the client input from the socket.

If the incoming ber size is larger than maxbersize, access log logs:
[..] conn=# op=-1 fd=64 closed error 34 (Numerical result out of range) - B2
And the error log logs:
[..] connection - conn=# fd=# Incoming BER Element was too long, max
allowable is # bytes. Change the nsslapd-maxbersize attribute in
cn=config to increase.

git patch file (master)
0001-Ticket-542-Cannot-dynamically-set-nsslapd-maxbersize.patch

Reviewed by Rich (Thank you!!)

Pushed to master: commit cce46be

Pushed to 389-ds-base-1.3.0: commit 5941a5b

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=918689

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/542

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.