There is a DIRSRV variable set during the PKI install: nsslapd-maxbersize. This variable is -not- dynamically initialized. Because of this, a restart is required for it to take effect.
When building a replica from a PKI-CA master with a large CRL, the installation fails during the replication phase :
Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: configuring certificate server instance
/var/log/dirsrv/slapd-PKI-CA/error:
[17/Dec/2012:15:50:22 -0800] - ERROR bulk import abandoned [17/Dec/2012:15:50:22 -0800] - import ipaca: Aborting all Import threads... [17/Dec/2012:15:50:33 -0800] - import ipaca: Import threads aborted. [17/Dec/2012:15:50:33 -0800] - import ipaca: Closing files... [17/Dec/2012:15:50:33 -0800] - import ipaca: Import failed. [17/Dec/2012:15:50:33 -0800] - process_bulk_import_op: NULL target sdn
/var/log/dirsrv/slapd-PKI-CA/access:
[17/Dec/2012:15:50:22 -0800] conn=15 op=-1 fd=73 closed error 34 (Numerical result out of range) - B
This bug has a 1 line workaround / fix:
ipaserver/install/cainstance.py: In the [slapd] stanza of "INF_TEMPLATE" variable, the ldif containing the max limit increase need only be declared.
ConfigFile = /usr/share/pki/ca/conf/database.ldif
This will cause the directory the variable defined during initialization and will not require a restart to take effect.
The same file is later called by the installation process but this way, it ensures that the change is made before replication attempts have begun.
attachment freeipa-jraquino-0043-Allow-PKI-CA-Replica-Installs-when-CRL-exceeds-default.patch
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=888956
master: cfe1894
ipa-3-1: 56b756e
ipa-3-0: 92ab338
Metadata Update from @jraquino: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0.2
Login to comment on this ticket.