On Fri, 2017-12-08 at 15:55 -0600, Sergei Gerasenko wrote:
> So my advice - Sometimes we see this error when you use ldaps://
to
> a
> plaintext port IE ldaps://hostname:389. Is this possibly the issue
> you
> have replication set to SSL to a plaintext port?
I think in that case the message is:
Connection - conn=167482 fd=121 Incoming BER Element was 3 bytes, max
allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute
in cn=config to increase.
Note that it mentions the element size of 3 bytes. In the case in
this thread however I don’t see a size mentioned:
ns-slapd[45565]: [02/Dec/2017:22:47:52.520338378 +0000] connection -
conn=1229556 fd=588 Incoming BER Element was too long, max allowable
is 2097152 bytes. Change the nsslapd-maxbersize attribute in
cn=config to increase.
This makes me think it’s a different situation. I would imagine it
shouldn’t have been logged if it was ignored? But it’s possible...
That message "was 3 bytes max allowable ..." means "SSL/TLS on a
plaintext port."
Newer versions of DS has a specific error message to explain this
better.
I think you should check your replication agreement configurations to
see if any of them list "ldaps://" instead of "ldap://" for a
StartTLS
connection perhaps. Or SSL vs TLS in the config.
Hope that helps,
Thanks,
Sergei
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.o
rg
--
Sincerely,
William Brown
Software Engineer
Red Hat, Australia/Brisbane