On Fri, 2017-12-08 at 15:55 -0600, Sergei Gerasenko wrote: > > So my advice - Sometimes we see this error when you use ldaps:// to > > a > > plaintext port IE ldaps://hostname:389. Is this possibly the issue > > you > > have replication set to SSL to a plaintext port? > > I think in that case the message is: > > Connection - conn=167482 fd=121 Incoming BER Element was 3 bytes, max > allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute > in cn=config to increase. > > Note that it mentions the element size of 3 bytes. In the case in > this thread however I don’t see a size mentioned: > > ns-slapd[45565]: [02/Dec/2017:22:47:52.520338378 +0000] connection - > conn=1229556 fd=588 Incoming BER Element was too long, max allowable > is 2097152 bytes. Change the nsslapd-maxbersize attribute in > cn=config to increase. > > This makes me think it’s a different situation. I would imagine it > shouldn’t have been logged if it was ignored? But it’s possible... That message "was 3 bytes max allowable ..." means "SSL/TLS on a plaintext port." Newer versions of DS has a specific error message to explain this better. I think you should check your replication agreement configurations to see if any of them list "ldaps://" instead of "ldap://"; for a StartTLS connection perhaps. Or SSL vs TLS in the config. Hope that helps, > > Thanks, > Sergei > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o > rg -- Sincerely, William Brown Software Engineer Red Hat, Australia/Brisbane _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
