On 17-07-18 10:56, Alexander Bokovoy wrote:
On ti, 17 heinä 2018, Kees Bakker via FreeIPA-users wrote:
> Hi,
>
> This is about the infamous log message
>
> WARNING: changelog: entry cache size 2097152B is less than db size 19701760B; We
recommend to increase the entry cache size nsslapd-cachememsize.
>
> I've searched the Internet, including this mailing list, but I haven't found
> a sensible FreeIPA solution yet. There was a hint to look at [1], that suggested
that
> I should use ldapmodify. Well OK, but before I do that I want to first see,
> using ldapsearch, that I can query the current value. I tried this (with proper
> kinit of course):
>
> ldapsearch -Y GSSAPI -b cn=config
>
> That didn't show anything useful, nothing with nsslapd-cachememsize.
> That makes me wonder whether the suggested ldapmodify command is
> correct for me.
>
> My question is basically: what is the recommended FreeIPA way to modify
> nsslapd-cachememsize? And will the modification automatically
> replicate from the master to the replica?
It needs to be done as cn=Directory Manager. 'admin' has no rights over
cn=config.
Ah, that makes sense now.
One way to do that is to use ldapi and -Y EXTERNAL. Take the LDAP url
from /etc/ipa/default.conf and as root on the master do
ldapsearch -Y EXTERNAL -H '<ldap_url value from default.conf>' -b
cn=config
OK, thanks. I can see the entries now.
To modify you'd rather use ipa-ldap-updater tool which manages
automatically this for you when an update file is provided. In addition,
you have some substitution variables available too. These aren't needed
for this specific case but it would be useful in other cases.
See
https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-updater/
for details and read ipa-ldap-updater manual page.
Just to be sure, before I execute it. This will be my update file for ipa-ldap-updater.
(The syntax wasn't fully clear from the man page.)
# Change value nsslapd-cachememsize
dn: cn=changelog,cn=ldbm database,cn=plugins,cn=config
replace:nsslapd-cachememsize:2097152::33554432
Right?
--
Kees