When attempting to set up a new replica using the procedure described in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/ the replica can be set up, but then fails to replicate with the master IPA server. Master server and replica have both CentOS 6.6 installed (all packages up-to-date), DNS is on an external DNS server, SELinux is turned off, both machines can communicate on the network properly. The problem appears to be SASL-related, details can be found in the following thread: https://www.redhat.com/archives/freeipa-users/2014-November/msg00100.html
Are we sure that the problem is not caused by too low SASL communication buffer? (RHEL-7 variant of the bug) What is the value of nsslapd-sasl-max-buffer-size in cn=config.
nsslapd-sasl-max-buffer-size
cn=config
If this is not the root cause, it something more complicated and according to [this] and https://www.redhat.com/archives/freeipa-users/2014-November/msg00424.html this message on freeipa-users, we would either need to do an interactive debugging session or try a specialized build of DS to continue with investigation.
During the thread it was not proposed to increase nsslapd-sasl-max-buffer-size. So it worth increasing this attribute to check if it solves this issue.
The customer already tested with a larger nsslapd-maxsasliosize (6Mb) https://www.redhat.com/archives/freeipa-users/2014-November/msg00344.html
Changing nsslapd-sasl-max-buffer-size to 2097152 indeed did the trick. Replication works, error messages in slapd logs are gone. Thank you for looking into this.
Great! Thanks for confirmation. This default should be already set for Fedora builds. For RHEL, it should be there in 6.7 at the latest.
Metadata Update from @dbf: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.