From 94478cc88bdd5062e5651069ae8b3ab604f1af84 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Tue, 24 Oct 2023 13:56:13 +0200
Subject: [PATCH] Install IPA replicas with a larger `nsslapd-maxsasliosize`
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Related to https://pagure.io/fedora-infrastructure/issue/10358

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 roles/ipa/server/files/replica-install.ldif |  4 ++
 roles/ipa/server/tasks/main.yml             | 42 +++++++++++++--------
 2 files changed, 30 insertions(+), 16 deletions(-)
 create mode 100644 roles/ipa/server/files/replica-install.ldif

diff --git a/roles/ipa/server/files/replica-install.ldif b/roles/ipa/server/files/replica-install.ldif
new file mode 100644
index 0000000000..27dc8ad26d
--- /dev/null
+++ b/roles/ipa/server/files/replica-install.ldif
@@ -0,0 +1,4 @@
+dn: cn=config
+changetype: modify
+replace: nsslapd-maxsasliosize
+nsslapd-maxsasliosize: 3145728
diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml
index 3129bec563..bd8385a3ed 100644
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@@ -86,6 +86,30 @@
   - config
   when: ipa_initial
 
+- name: Create LDIF directory
+  file:
+    path: /root/ldif
+    state: directory
+    owner: root
+    group: root
+    mode: 0750
+  tags:
+  - ipa/server
+  - config
+
+- name: Copy LDIF files
+  copy:
+    src: "{{item}}"
+    dest: /root/ldif/{{item}}
+  with_items:
+  - grant_anonymous_replication_view.ldif
+  - grant_fas_sync.ldif
+  - use_id_fp_o.ldif
+  - replica-install.ldif
+  tags:
+  - ipa/server
+  - config
+
 - name: determine whether we need to set up replication
   stat: path=/etc/ipa/default.conf
   register: replication_status
@@ -138,6 +162,7 @@
              --forwarder=10.3.163.34
              --skip-conncheck
              --log-file=/var/log/ipainstall.log
+             --dirsrv-config-file=/root/ldif/replica-install.ldif
              /root/ipa_replica_{{inventory_hostname}}.gpg
              creates=/etc/ipa/default.conf
     when: ansible_distribution_major_version|int < 8
@@ -158,6 +183,7 @@
              --log-file=/var/log/ipainstall.log
              --domain={{ipa_realm}}
              --server=ipa01{{ env_suffix }}.iad2.fedoraproject.org
+             --dirsrv-config-file=/root/ldif/replica-install.ldif
              creates=/etc/ipa/default.conf
     when: ansible_distribution_major_version|int >= 8
   when: not ipa_initial and not replication_status.stat.exists
@@ -608,22 +634,6 @@
   - config
 
 
-- name: Create LDIF directory
-  file: path=/root/ldif state=directory owner=root group=root mode=0750
-  tags:
-  - ipa/server
-  - config
-
-- name: Copy LDIF files
-  copy: src={{item}} dest=/root/ldif/{{item}}
-  with_items:
-  - grant_anonymous_replication_view.ldif
-  - grant_fas_sync.ldif
-  - use_id_fp_o.ldif
-  tags:
-  - ipa/server
-  - config
-
 # This is a special one, in that it needs to apply on each master since it's non-replicated.
 - name: Grant access to replication status
   command: ldapmodify -Y EXTERNAL -H {{ ipa_ldap_socket }}