slow ldapsearch when binddn is not root - openldap-software

24 Apr 2008


      Hi list!
My master ldapserver is a FreeBSD 6.2-STABLE running OpenLDAP 2.3.38
the directory have ~ 5000 entries that are users from samba and qmail.
I experiencing a strange behavior with the search response time, here
are two searches, one done with root dn and another with a user dn.
# time ldapsearch -D uid=user,ou=Users,dc=mydomain,dc=com,dc=br -b
ou=Users,dc=mydomain,dc=com,dc=br  -W -x > /dev/null
Enter LDAP Password:
  101.71s real     0.59s user     0.11s system
# time ldapsearch -D cn=root,dc=tempopar,dc=com,dc=br -b
ou=Users,dc=mydomain,dc=com,dc=br  -W -x > /dev/null
Enter LDAP Password:
    3.13s real     0.53s user     0.08s system
Follow my slapd.conf:
#####################
# slapd.conf start
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/qmail.schema
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
#loglevel       any
#loglevel       160
sizelimit       unlimited
# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_hdb
moduleload      back_monitor
moduleload      smbk5pwd.so
# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
limits dn.exact="cn=replicator,dc=mydomain,dc=com,dc=br"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
#limits dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
access to attrs=sambaLogonTime
        by dn.exact="cn=logintimeupdator,dc=mydomain,dc=com,dc=br" write
        by * read
access to *
    by dn.exact="cn=replicator,dc=mydomain,dc=com,dc=br" read
    by dn.exact="cn=qmail-ldap,dc=mydomain,dc=com,dc=br" read
    by * none break
access to attrs=userPassword
        by self write
        by group.exact="cn=Sysadmins,dc=mydomain,dc=com,dc=br" write
        by * auth
access to attrs=shadowLastChange
        by group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write
        by self write
        by * read
access to dn.regex="^(.*,)?ou=Computers,dc=mydomain,dc=com,dc=br$"
        by  dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br" write
        by  * read
access to dn.regex="^(.*,)?ou=Domains,dc=mydomain,dc=com,dc=br$"
        by dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br" write
        by * read
access to dn.regex="^(.*,)?ou=Idmap,dc=mydomain,dc=com,dc=br$"
        by dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br" write
        by * read
access to dn.regex="^(.*,)?ou=Users,dc=mydomain,dc=com,dc=br$"
        by  group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write
        by self write
        by  * read
access to dn.regex="^(.*,)?ou=Groups,dc=mydomain,dc=com,dc=br$"
        by  group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write
        by self write
        by  * read
access to dn.regex="^(.*,)?cn=SysAdmins,dc=mydomain,dc=com,dc=br$"
        by  group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write
#access to dn.regex="^(.+,)?uid=([^,]+),ou=addressbook,associatedDomain=([^,]+),ou=domains,o=<basedn>$"
#access to dn.regex="^(.+,)?ou=Users,dc=mydomain,dc=com,dc=br$"
#       by  group.exact="cn=SysAdmins,ou=Groups,dc=mydomain,dc=com,dc=br" write
#       by  * read
access to *
        by group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write
        by anonymous auth
        by * read
#######################################################################
#
# database definitions
#
#######################################################################
#
# access log
#
database hdb
suffix cn=log
cachesize       10000
checkpoint      128 5
rootdn          "cn=root,dc=mydomain,dc=com,dc=br"
directory       "/var/db/openldap/cn=log/data"
index reqStart eq
index reqDN    pres,eq
index reqAuthzID    pres,eq
#
# dc=mydomain,dc=com,dc=br
#
database        hdb
suffix          "dc=mydomain,dc=com,dc=br"
cachesize       10000
checkpoint      128 5
rootdn          "cn=root,dc=mydomain,dc=com,dc=br"
directory       /var/db/openldap/dc=mydomain/data
#
# Overlays
#
overlay smbk5pwd
smbk5pwd-enable samba
overlay accesslog
logdb cn=log
logops writes
logold (objectClass=posixAccount)
logpurge 30+00:00 1+00:00
overlay syncprov
syncprov-checkpoint 100 5
syncprov-sessionlog 200
# Indices to maintain
index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub
index entryCSN,entryUUID    eq
index mailAlternateAddress  pres,eq
index mail                  pres,eq
database monitor
#
# slapd.conf end
#####################
Can my acl slowing the search too much ?? How can I improve then ?
Any help is very appreciated
Best Regards,
Alexandre