6:48 a.m.
Hi list!
My master ldapserver is a FreeBSD 6.2-STABLE running OpenLDAP 2.3.38
the directory have ~ 5000 entries that are users from samba and qmail.
I experiencing a strange behavior with the search response time, here
are two searches, one done with root dn and another with a user dn.
# time ldapsearch -D uid=user,ou=Users,dc=mydomain,dc=com,dc=br -b
ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null
Enter LDAP Password:
101.71s real 0.59s user 0.11s system
# time ldapsearch -D cn=root,dc=tempopar,dc=com,dc=br -b
ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null
Enter LDAP Password:
3.13s real 0.53s user 0.08s system
Follow my slapd.conf:
#####################
# slapd.conf start
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
include /usr/local/etc/openldap/schema/qmail.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#loglevel any
#loglevel 160
sizelimit unlimited
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_hdb
moduleload back_monitor
moduleload smbk5pwd.so
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
limits dn.exact="cn=replicator,dc=mydomain,dc=com,dc=br"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
#limits dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
access to attrs=sambaLogonTime
by dn.exact="cn=logintimeupdator,dc=mydomain,dc=com,dc=br" write
by * read
access to *
by dn.exact="cn=replicator,dc=mydomain,dc=com,dc=br" read
by dn.exact="cn=qmail-ldap,dc=mydomain,dc=com,dc=br" read
by * none break
access to attrs=userPassword
by self write
by group.exact="cn=Sysadmins,dc=mydomain,dc=com,dc=br" write
by * auth
access to attrs=shadowLastChange
by group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write
by self write
by * read
access to dn.regex="^(.*,)?ou=Computers,dc=mydomain,dc=com,dc=br$"
by dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br" write
by * read
access to dn.regex="^(.*,)?ou=Domains,dc=mydomain,dc=com,dc=br$"
by dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br" write
by * read
access to dn.regex="^(.*,)?ou=Idmap,dc=mydomain,dc=com,dc=br$"
by dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br" write
by * read
access to dn.regex="^(.*,)?ou=Users,dc=mydomain,dc=com,dc=br$"
by group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write
by self write
by * read
access to dn.regex="^(.*,)?ou=Groups,dc=mydomain,dc=com,dc=br$"
by group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write
by self write
by * read
access to dn.regex="^(.*,)?cn=SysAdmins,dc=mydomain,dc=com,dc=br$"
by group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write
#access to
dn.regex="^(.+,)?uid=([^,]+),ou=addressbook,associatedDomain=([^,]+),ou=domains,o=<basedn>$"
#access to dn.regex="^(.+,)?ou=Users,dc=mydomain,dc=com,dc=br$"
# by group.exact="cn=SysAdmins,ou=Groups,dc=mydomain,dc=com,dc=br" write
# by * read
access to *
by group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write
by anonymous auth
by * read
#######################################################################
#
# database definitions
#
#######################################################################
#
# access log
#
database hdb
suffix cn=log
cachesize 10000
checkpoint 128 5
rootdn "cn=root,dc=mydomain,dc=com,dc=br"
directory "/var/db/openldap/cn=log/data"
index reqStart eq
index reqDN pres,eq
index reqAuthzID pres,eq
#
# dc=mydomain,dc=com,dc=br
#
database hdb
suffix "dc=mydomain,dc=com,dc=br"
cachesize 10000
checkpoint 128 5
rootdn "cn=root,dc=mydomain,dc=com,dc=br"
directory /var/db/openldap/dc=mydomain/data
#
# Overlays
#
overlay smbk5pwd
smbk5pwd-enable samba
overlay accesslog
logdb cn=log
logops writes
logold (objectClass=posixAccount)
logpurge 30+00:00 1+00:00
overlay syncprov
syncprov-checkpoint 100 5
syncprov-sessionlog 200
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
index entryCSN,entryUUID eq
index mailAlternateAddress pres,eq
index mail pres,eq
database monitor
#
# slapd.conf end
#####################
Can my acl slowing the search too much ?? How can I improve then ?
Any help is very appreciated
Best Regards,
Alexandre
8:33 a.m.
On Thu, 24 Apr 2008, Alexandre Biancalana wrote:
# time ldapsearch -D uid=user,ou=Users,dc=mydomain,dc=com,dc=br -b
ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null
Enter LDAP Password:
101.71s real 0.59s user 0.11s system
# time ldapsearch -D cn=root,dc=tempopar,dc=com,dc=br -b
ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null
Enter LDAP Password:
3.13s real 0.53s user 0.08s system
Well, first off, are you always doing user first then root second? Is this
reproducible, repeatedly, regardless of direction? (Rule out cache
priming.)
[config'd with a lot of]
access to
dn.regex="^(.*,)?ou=Computers,dc=mydomain,dc=com,dc=br$"
This is what I think your real issue is: you have a ton of regex ACLs, and
I'm guessing you're linked against an inefficient regex library.
I'm not sure exactly what you're doing, but give some thought to:
access to dn.subtree="ou=Computers,dc=mydomain,dc=com,dc=br"
perhaps?
10:14 a.m.
On 4/24/08, Aaron Richton <richton(a)nbcs.rutgers.edu> wrote:
On Thu, 24 Apr 2008, Alexandre Biancalana wrote:
> # time ldapsearch -D
uid=user,ou=Users,dc=mydomain,dc=com,dc=br -b
> ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null
> Enter LDAP Password:
> 101.71s real 0.59s user 0.11s system
>
> # time ldapsearch -D cn=root,dc=tempopar,dc=com,dc=br -b
> ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null
> Enter LDAP Password:
> 3.13s real 0.53s user 0.08s system
>
Well, first off, are you always doing user first then root second? Is this
reproducible, repeatedly, regardless of direction? (Rule out cache priming.)
[config'd with a lot of]
> access to
dn.regex="^(.*,)?ou=Computers,dc=mydomain,dc=com,dc=br$"
>
This is what I think your real issue is: you have a ton of regex ACLs, and
I'm guessing you're linked against an inefficient regex library.
I'm not sure exactly what you're doing, but give some thought to:
access to
dn.subtree="ou=Computers,dc=mydomain,dc=com,dc=br"
perhaps?
Hi Aaron !
I change all dn.regex, to dn.subtree and the slowness go away...
Look this:
# date;time ldapsearch -D uid=user,ou=Users,dc=mydomain,dc=com,dc=br
-b ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/nul >
Thu Apr 24 14:07:00 BRT 2008
Enter LDAP Password:
3.85s real 0.64s user 0.07s system
# date;time ldapsearch -D cn=root,dc=mydomain,dc=com,dc=br -b
ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null
Thu Apr 24 14:07:08 BRT 2008
Enter LDAP Password:
5.00s real 0.56s user 0.07s system
# date;time ldapsearch -D uid=user,ou=Users,dc=mydomain,dc=com,dc=br
-b ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/nul >
Thu Apr 24 14:07:17 BRT 2008
Enter LDAP Password:
6.10s real 0.58s user 0.04s system
# date;time ldapsearch -D uid=user,ou=Users,dc=mydomain,dc=com,dc=br
-b ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/nul >
Thu Apr 24 14:07:25 BRT 2008
Enter LDAP Password:
3.25s real 0.57s user 0.07s system
# date;time ldapsearch -D uid=user,ou=Users,dc=mydomain,dc=com,dc=br
-b ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/nul >
Thu Apr 24 14:07:30 BRT 2008
Enter LDAP Password:
3.03s real 0.56s user 0.07s system
# date;time ldapsearch -D cn=root,dc=mydomain,dc=com,dc=br -b
ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null
Thu Apr 24 14:07:35 BRT 2008
Enter LDAP Password:
2.95s real 0.55s user 0.06s system
Thank you for the hint!
Regards,
Alexandre
1:13 a.m.
New subject: DSML and SPML functionality in javaldap
hi ,
I want to know how javaldap SPML and DSML functionality are used .
Incase if they are not used we can move away from them in the next release .Want to
know your opinion .
Any suggestions and ideas to move the product ahead are welcome .
regards
Arpit
6:20 p.m.
New subject: DSML and SPML functionality in javaldap
Rastogi Arpit wrote:
I want to know how javaldap SPML and DSML functionality are used
.
Incase if they are not used we can move away from them in the next
release .Want to know your opinion .
I use com.novell.ldap.util.DSMLWriter to express entries as DSML (v1). I
don't see an argument to deprecate that class unless the functionality
is replaced; it seems more natural to collect implementations of
interfaces LDAPWriter and LDAPReader rather than discard functional ones.
Otherwise that's it. I never had an interest in SPML.
Any suggestions and ideas to move the product ahead are welcome .
The most squirrelly bugs I recall had to do with the connection pool
class. I find connection pools to be of great utility, and think the
package would benefit from a robust class here. The Novell
implementation is more sophisticated than the Netscape/Sun/Mozilla
strain. That's a good thing so long as it's still thoroughly reliable.
Jon Roberts
www.mentata.com
5695
days inactive
5700
days old
openldap-software@openldap.org
4 comments
4 participants
participants (4)
-
Aaron Richton -
Alexandre Biancalana -
Jon Roberts -
Rastogi Arpit