Pierangelo Masarati wrote:
I'm facing the problem of having too many threads operating on
the same
privileged connections in back-ldap/back-meta, which seems to cause poor
scalability. This mainly occurs because we want all operations to be
performed as a privileged identity with proxyAuthz. For this purpose I
plan to move privileged connections out of the connection AVL tree into
ldapinfo_t, so that we save a search in the tree, and keep multiple
instances of privileged connections in a LDAP_TAILQ structure of fixed
maximum length to use them round-robin. Each type of privileged
connection uses a dedicated list, so in our case we basically keep two
lists: one for the privileged user and one for binds, which are now
serialized into one privileged connection since all subsequent
operations use proxyAuthz. A prototype is being tested, which doesn't
work too bad (scalability did not dramatically improve yet, so there
might be other bottlenecks, but at least some repeatable transient hangs
disappeared). Comments?
Sounds like that will work well. If the target server is an OpenLDAP
server, it will limit the number of concurrently executing ops on a
connection, which would definitely create a bottleneck using just one
privileged connection. Likewise, distributing requests across multiple
connections will reduce mutex contention in libldap_r, so that should
also be a win.
--
-- Howard Chu
Chief Architect, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc
OpenLDAP Core Team
http://www.openldap.org/project/