performance tuning
by Jason Peters
I am testing an OpenLDAP server with 3000 fake 'people' entries, but it
does not perform as well as I would expect. I have added some tweaks
based on my research of the documentation. Is there anything I am
missing here? Is there any way to further tune this setup?
I have written a script to test the directory. It is written in
PHP using the standard LDAP libraries. Both the script, and the
LDAP server are running on the same box. The script is
calling the server via the public interface (not the loopback) using
standard port 80. It basically does a search on a matching query.
The search query was "sn=BE*". Below is the info for my setup:
Linux Debian etch system
OpenLDAP version:
# /usr/sbin/slapd -V
@(#) $OpenLDAP: slapd 2.3.30 (Mar 9 2007 05:43:02) $
Here are my additions to the slapd.conf file (other than these, the file
is essentially like the default):
. . . .
TLSCipherSuite HIGH
TLSCACertificateFile /etc/ldap/demoCA/cacert.pem
TLSCertificateFile /etc/ldap/newcert.pem
TLSCertificateKeyFile /etc/ldap/newreq.pem
TLS_REQCERT never
###############################################
# Performance tweaks added by me -JLP
index sn subinitial
cachesize 100000
dbcachesize 1000000
# Tells openldap how many threads to use
# more does not necessarily mean better performance unless you have
multiple cpus
threads 8
# Tells slapd to close connections that have been idle for 30 seconds or
more.
idletimeout 30
# Tells slapd to store the 20,000 most used IDL's frequented when
accessing entries in memory.
idlcachesize 20000
EOF
tia,
Jason
15 years
Windows OpenLDAP (slapd) startup error
by S James S Stapleton
I'm trying to look up this error, but cant find what it means. I'm using
windows, and this is the error I find in the windows logs:
The description for Event ID ( 1281 ) in Source ( openldap-slapd ) cannot be
found. The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may be
able to use the /AUXSOURCE= flag to retrieve this description; see Help and
Support for details. The following information is part of the event: The
event log file is corrupt..
When I try to start the service, I specifically get:
Windows could not start the OpenLDAP Directory Service on Local Computer.
For more information, review the System Event log. If this is a
non-Microsoft service, contact the service vendor, and refer to
service-specific error code 19.
I am using the default slapd.conf and ldap.conf files.
I received the LDAP schema from the original server that this is to be a
pass-through for. The schema is in a set (read: horde) of plain text ldiff
files from a Sun Directory Service server, and I suspect given what I have
seen in google, there is an incompatibility in these files. I was wondering
if anyone had any ideas for me on how to narrow down the location of the
error in the horde of files?
Any suggestions?
Thank you,
-Jim Stapleton
15 years
Lock is no longer valid / deferring operation
by Toby Blake
Hi all,
For largely historical reasons we run slapd servers on most clients
(this will probably change in the future - I'm just giving this
information as background). We're seeing problems when some of these
machines are busy, particularly, it seems, with memory intensive
activity, although it's hard to substantiate as I generally only see
the machines after they've broken. It's annoying as I can't reproduce
these problems.
We see quite a few problems with slapd getting into a state where it's
deferring operations, for whatever reason - I think I understand these
- these are when slapd basically says sorry, I'm too busy doing X, so
I'll defer Y until I have time. Is this accurate?
The second case I'm also seeing is bdb complaining about locks being
no longer valid, e.g.
slapd[3780]: bdb(dc=inf,dc=ed,dc=ac,dc=uk): DB_LOCK->lock_put: Lock is no longer valid
slapd seems to keep going for the time being until getting into a
state where it defers all binding operations and goes into some kind
of spin where it sits at 99% cpu and has to be killed with a -9.
I suppose I have a couple of questions about the "Lock is no longer
valid" error....
- What causes it?
- Is it something I can prevent by configuration changes (for
instance, would increasing the numbers of locks, lockers and objects
help?)
We're running openldap 2.3.35 with ITS#4924 and ITS#4925 patches with
a bdb backend running 4.2.52 with all 6 recommended patches.
The only DBCONFIG settings we currently have are:
dbconfig set_cachesize 0 67108864 1
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 2097152
Thanks in advance
Toby Blake
School of Informatics
University of Edinburgh
15 years
Challenge With Access Control
by Brian Gaber
Hope someone can explain this to me. I am sure it is very trivial. I
have a primary LDAP server (10.16.13.84), a replica LDAP server
(10.16.13.85) and a few clients all with a 10.16.13.x address.
Here is the access control I thought would work:
access to *
by self write
by peername=10.16.13.84 write
by peername=10.16.13.81 read
by peername=10.16.13.82 read
by peername=10.16.13.83 read
by peername=10.16.13.85 read
by peername=10.16.13.86 read
Here is what does work:
access to *
by self write
by peername.ip=10.16.13.84 write
by * read
By work I mean that when I am on the replica (10.16.13.85) and
issue an ldapsearch to itself I get a 32 no such object with the top
access, but I get the expected result with the bottom access.
Brian Gaber
15 years
Sync Cached BDB data
by Arunachalam Parthasarathy
Hello,
Is it possible to sync the cached bdb data to disk at regular interval ?
Does openldap uses Db::Sync Api for this ?
Please answer me in this regard
Thanks in advance,
Arunachalam.
****************************************************************************
****************************
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
15 years
Problem with mysql backend
by Manuel Rodríguez Salgado
Hi,
i have installed openldap with mysql backend.
It work ok when my database use numeric keys in the table , but it not work
when i use string keys.
I can solve it ???
thanks
15 years
Re: Lock is no longer valid / deferring operation
by Gabriel Stein
And about your DBCONFIG? Is everything ok?
Cheers.
On 7/4/07, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
>
> --On Wednesday, July 04, 2007 8:40 PM +0100 Gavin Henry
> <ghenry(a)suretecsystems.com> wrote:
>
> >> We're running openldap 2.3.35 with ITS#4924 and ITS#4925 patches with
> >> a bdb backend running 4.2.52 with all 6 recommended patches.
> >
> > I hope you mean 5, as there are only 5 listed on the Oracle site.
>
> There are 6 recommended patches to BDB 4.2.52, 5 of which come from the
> Oracle site.
>
> --Quanah
>
>
> --
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
--
/\
Gabriel Stein
gabrielstein(a)gmail.com
MSN: gabrielstein(a)hotmail.com
Administrador de Redes -
Network Administrador
Linux User #223750
51-92796310
Porto Alegre - RS - Brasil
15 years
cmusaslsecretPLAIN attribute
by John Burian
I'm running RedHat EL 5 with stock RPMs for OpenLDAP, Cyrus SASL and
OpenSSL:
OpenLDAP 2.3.27
Cyrus-SASL 2.1.22
OpenSSL 0.9.8b
I've created a CA on the server, used that to sign a cert, and put the
appropriate entries in slapd.conf (to use the cert) and in ldap.conf (to
trust the CA). If I run 'ldapwhoami:
$ ldapwhoami
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: Password
verification failed
and in the logs (appended below) I see text about an undefined attribute
type 'cmusaslsecretPLAIN'. I've looked around for that string, and all
the fixes I've seen seem to want to patch Cyrus-SASL. I'd like to stick
with Red Hat's stock RPMs, if possible. Is there a CMU specific schema I
need to include, that defines that attribute? I'd also like to keep my
auth information in LDAP, rather than have a separate SASL password
database. My understanding is that the PLAIN authentication will be
secured by the underlying SASL/TLS transport, is that correct? Thanks,
John
Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_get: [1] attr userPassword
Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_mask: access to entry
"uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested
Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_mask: to all values by "", (=0)
Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: self
Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat:
uid=root,ou=people,dc=cqcb
Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: *
Jul 3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] applying auth(=xd)
(stop)
Jul 3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] mask: auth(=xd)
Jul 3 07:50:49 Hodgkin slapd[1342]: => access_allowed: auth access
granted by auth(=xd)
Jul 3 07:50:49 Hodgkin slapd[1342]: slap_ap_lookup:
str2ad(cmusaslsecretPLAIN): attribute type undefined
Jul 3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: conn=5 op=1 p=3
Jul 3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: err=0 matched=""
text=""
Jul 3 07:50:49 Hodgkin slapd[1342]: SASL [conn=5] Failure: Password
verification failed
15 years
No such object error after converting from 2.0.27 to 2.3.32
by Brian Gaber
Took the slapcat output from version 2.0.27 (ldbm) to version 2.3.32
(bdm). Used /usr/local/bin/slapadd on 2.3.32 and am using Berkeley
4.5.20. The slapadd works fine. Then I issued chown ldap:ldap on the
/var/lib/ldap-2.3.32 directory and files. Any type of ldapsearch results
in a 32 no such object. The identical ldapsearch on the old ldap works
fine.
Search:
/usr/local/bin/ldapsearch -h 10.16.13.85 -x -b o=pwgsc -s sub uid=gaberb
Slapd.conf:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/fw1ng.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
allow bind_v2
#loglevel 296
sizelimit 500000
access to *
by self write
by peername=10.16.13.84 write
by peername=10.16.13.81 read
by peername=10.16.13.82 read
by peername=10.16.13.83 read
by peername=10.16.13.85 read
by peername=10.16.13.86 read
database bdb
suffix "o=pwgsc"
rootdn "cn=admin,o=pwgsc"
rootpw {CRYPT}iWkhys7q1iVpM
directory /var/lib/ldap-2.3.32
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
# Master from which we should accept changes
updatedn "cn=admin,o=pwgsc"
updateref ldap://10.16.13.84
Log:
do_bind: v3 anonymous bind
daemon: activity on 1 descriptor
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
0000: 30 2d 02 01 02 63 28 04 0-...c(.
ldap_read: want=39, got=39
0000: 07 6f 3d 70 77 67 73 63 0a 01 02 0a 01 00 02 01
.o=pwgsc........
0010: 00 02 01 00 01 01 00 a3 0c 04 03 75 69 64 04 05
...........uid..
0020: 66 61 74 61 6d 30 00 fatam0.
ber_get_next: tag 0x30 len 45 contents:
ber_dump: buf=0x081ff3d8 ptr=0x081ff3d8 end=0x081ff405 len=45
0000: 02 01 02 63 28 04 07 6f 3d 70 77 67 73 63 0a 01
...c(..o=pwgsc..
0010: 02 0a 01 00 02 01 00 02 01 00 01 01 00 a3 0c 04
................
0020: 03 75 69 64 04 05 66 61 74 61 6d 30 00
.uid..fatam0.
ber_get_next
do_search
ber_scanf fmt ({miiiib) ber:
ldap_read: want=8 error=Resource temporarily unavailable
ber_dump: buf=0x081ff3d8 ptr=0x081ff3db end=0x081ff405 len=42
0000: 63 28 04 07 6f 3d 70 77 67 73 63 0a 01 02 0a 01
c(..o=pwgsc.....
0010: 00 02 01 00 02 01 00 01 01 00 a3 0c 04 03 75 69
..............ui
0020: 64 04 05 66 61 74 61 6d 30 00 d..fatam0.
daemon: select: listen=6 active_threads=0 tvp=NULL
>>> dnPrettyNormal: <o=pwgsc>
=> ldap_bv2dn(o=pwgsc,0)
<= ldap_bv2dn(o=pwgsc)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(o=pwgsc)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(o=pwgsc)=0
<<< dnPrettyNormal: <o=pwgsc>, <o=pwgsc>
SRCH "o=pwgsc" 2 0 0 0 0
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
ber_dump: buf=0x081ff3d8 ptr=0x081ff3f5 end=0x081ff405 len=16
0000: a3 0c 04 03 75 69 64 04 05 66 61 74 61 6d 30 00
....uid..fatam0.
end get_filter 0
filter: (uid=fatam)
ber_scanf fmt ({M}}) ber:
ber_dump: buf=0x081ff3d8 ptr=0x081ff403 end=0x081ff405 len=2
0000: 00 00 ..
attrs:
==> limits_get: conn=0 op=1 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("o=pwgsc")
=> bdb_dn2id("o=pwgsc")
<= bdb_dn2id: got id=0x00000001
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=32 matched="" text=""
send_ldap_response: msgid=2 tag=101 err=32
ber_flush: 14 bytes to sd 10
0000: 30 0c 02 01 02 65 07 0a 01 20 04 00 04 00 0....e...
....
ldap_write: want=14, written=14
0000: 30 0c 02 01 02 65 07 0a 01 20 04 00 04 00 0....e...
....
daemon: activity on 1 descriptor
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ldap_read: want=8, got=7
0000: 30 05 02 01 03 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x082008e0 ptr=0x082008e0 end=0x082008e5 len=5
0000: 02 01 03 42 00 ...B.
ber_get_next
ldap_read: want=8, got=0
ber_get_next on fd 10 failed errno=0 (Success)
connection_read(10): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=10 for close
do_unbind
connection_close: deferring conn=0 sd=10
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: waked
connection_resched: attempting closing conn=0 sd=10
daemon: select: listen=6 active_threads=0 tvp=NULL
connection_close: conn=0 sd=10
daemon: removing 10
daemon: shutdown requested and initiated.
daemon: closing 6
slapd shutdown: waiting for 0 threads to terminate
slapd shutdown: initiated
====> bdb_cache_release_all
slapd destroy: freeing system resources.
slapd stopped.
15 years
index_param failed
by JOYDEEP
Dear list,
from the log I am getting these errors like
======================
<= bdb_equality_candidates: (uid) index_param failed (18)
<= bdb_equality_candidates: (uid) index_param failed (18)
<= bdb_equality_candidates: (uidNumber) index_param failed
(18)
<= bdb_equality_candidates: (memberUid) index_param failed
(18)
<= bdb_equality_candidates: (uid) index_param failed (18)
<= bdb_equality_candidates: (uid) index_param failed (18)
<= bdb_equality_candidates: (uid) index_param failed (18)
==================================
could any one tell me the possible reason behind it and how
to fix it ?
thanks
15 years