Hi list!
My master ldapserver is a FreeBSD 6.2-STABLE running OpenLDAP 2.3.38 the directory have ~ 5000 entries that are users from samba and qmail.
I experiencing a strange behavior with the search response time, here are two searches, one done with root dn and another with a user dn.
# time ldapsearch -D uid=user,ou=Users,dc=mydomain,dc=com,dc=br -b ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null Enter LDAP Password: 101.71s real 0.59s user 0.11s system
# time ldapsearch -D cn=root,dc=tempopar,dc=com,dc=br -b ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null Enter LDAP Password: 3.13s real 0.53s user 0.08s system
Follow my slapd.conf:
##################### # slapd.conf start #
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/samba.schema include /usr/local/etc/openldap/schema/qmail.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
#loglevel any #loglevel 160
sizelimit unlimited
# Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_hdb moduleload back_monitor moduleload smbk5pwd.so
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates limits dn.exact="cn=replicator,dc=mydomain,dc=com,dc=br" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited #limits dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
access to attrs=sambaLogonTime by dn.exact="cn=logintimeupdator,dc=mydomain,dc=com,dc=br" write by * read
access to * by dn.exact="cn=replicator,dc=mydomain,dc=com,dc=br" read by dn.exact="cn=qmail-ldap,dc=mydomain,dc=com,dc=br" read by * none break
access to attrs=userPassword by self write by group.exact="cn=Sysadmins,dc=mydomain,dc=com,dc=br" write by * auth
access to attrs=shadowLastChange by group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write by self write by * read
access to dn.regex="^(.*,)?ou=Computers,dc=mydomain,dc=com,dc=br$" by dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br" write by * read
access to dn.regex="^(.*,)?ou=Domains,dc=mydomain,dc=com,dc=br$" by dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br" write by * read
access to dn.regex="^(.*,)?ou=Idmap,dc=mydomain,dc=com,dc=br$" by dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br" write by * read
access to dn.regex="^(.*,)?ou=Users,dc=mydomain,dc=com,dc=br$" by group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write by self write by * read
access to dn.regex="^(.*,)?ou=Groups,dc=mydomain,dc=com,dc=br$" by group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write by self write by * read
access to dn.regex="^(.*,)?cn=SysAdmins,dc=mydomain,dc=com,dc=br$" by group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write
#access to dn.regex="^(.+,)?uid=([^,]+),ou=addressbook,associatedDomain=([^,]+),ou=domains,o=<basedn>$" #access to dn.regex="^(.+,)?ou=Users,dc=mydomain,dc=com,dc=br$" # by group.exact="cn=SysAdmins,ou=Groups,dc=mydomain,dc=com,dc=br" write # by * read
access to * by group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write by anonymous auth by * read
####################################################################### # # database definitions # #######################################################################
# # access log # database hdb
suffix cn=log
cachesize 10000 checkpoint 128 5
rootdn "cn=root,dc=mydomain,dc=com,dc=br"
directory "/var/db/openldap/cn=log/data"
index reqStart eq index reqDN pres,eq index reqAuthzID pres,eq
# # dc=mydomain,dc=com,dc=br #
database hdb
suffix "dc=mydomain,dc=com,dc=br"
cachesize 10000 checkpoint 128 5
rootdn "cn=root,dc=mydomain,dc=com,dc=br"
directory /var/db/openldap/dc=mydomain/data
# # Overlays # overlay smbk5pwd smbk5pwd-enable samba
overlay accesslog logdb cn=log logops writes logold (objectClass=posixAccount) logpurge 30+00:00 1+00:00
overlay syncprov syncprov-checkpoint 100 5 syncprov-sessionlog 200
# Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub index entryCSN,entryUUID eq index mailAlternateAddress pres,eq index mail pres,eq
database monitor
# # slapd.conf end #####################
Can my acl slowing the search too much ?? How can I improve then ?
Any help is very appreciated
Best Regards, Alexandre
On Thu, 24 Apr 2008, Alexandre Biancalana wrote:
# time ldapsearch -D uid=user,ou=Users,dc=mydomain,dc=com,dc=br -b ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null Enter LDAP Password: 101.71s real 0.59s user 0.11s system
# time ldapsearch -D cn=root,dc=tempopar,dc=com,dc=br -b ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null Enter LDAP Password: 3.13s real 0.53s user 0.08s system
Well, first off, are you always doing user first then root second? Is this reproducible, repeatedly, regardless of direction? (Rule out cache priming.)
[config'd with a lot of]
access to dn.regex="^(.*,)?ou=Computers,dc=mydomain,dc=com,dc=br$"
This is what I think your real issue is: you have a ton of regex ACLs, and I'm guessing you're linked against an inefficient regex library.
I'm not sure exactly what you're doing, but give some thought to:
access to dn.subtree="ou=Computers,dc=mydomain,dc=com,dc=br"
perhaps?
On 4/24/08, Aaron Richton richton@nbcs.rutgers.edu wrote:
On Thu, 24 Apr 2008, Alexandre Biancalana wrote:
# time ldapsearch -D
uid=user,ou=Users,dc=mydomain,dc=com,dc=br -b
ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null Enter LDAP Password: 101.71s real 0.59s user 0.11s system
# time ldapsearch -D cn=root,dc=tempopar,dc=com,dc=br -b ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null Enter LDAP Password: 3.13s real 0.53s user 0.08s system
Well, first off, are you always doing user first then root second? Is this reproducible, repeatedly, regardless of direction? (Rule out cache priming.)
[config'd with a lot of]
access to
dn.regex="^(.*,)?ou=Computers,dc=mydomain,dc=com,dc=br$"
This is what I think your real issue is: you have a ton of regex ACLs, and I'm guessing you're linked against an inefficient regex library.
I'm not sure exactly what you're doing, but give some thought to:
access to dn.subtree="ou=Computers,dc=mydomain,dc=com,dc=br"
perhaps?
Hi Aaron !
I change all dn.regex, to dn.subtree and the slowness go away...
Look this:
# date;time ldapsearch -D uid=user,ou=Users,dc=mydomain,dc=com,dc=br -b ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/nul > Thu Apr 24 14:07:00 BRT 2008 Enter LDAP Password: 3.85s real 0.64s user 0.07s system
# date;time ldapsearch -D cn=root,dc=mydomain,dc=com,dc=br -b ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null Thu Apr 24 14:07:08 BRT 2008 Enter LDAP Password: 5.00s real 0.56s user 0.07s system
# date;time ldapsearch -D uid=user,ou=Users,dc=mydomain,dc=com,dc=br -b ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/nul > Thu Apr 24 14:07:17 BRT 2008 Enter LDAP Password: 6.10s real 0.58s user 0.04s system
# date;time ldapsearch -D uid=user,ou=Users,dc=mydomain,dc=com,dc=br -b ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/nul > Thu Apr 24 14:07:25 BRT 2008 Enter LDAP Password: 3.25s real 0.57s user 0.07s system
# date;time ldapsearch -D uid=user,ou=Users,dc=mydomain,dc=com,dc=br -b ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/nul > Thu Apr 24 14:07:30 BRT 2008 Enter LDAP Password: 3.03s real 0.56s user 0.07s system
# date;time ldapsearch -D cn=root,dc=mydomain,dc=com,dc=br -b ou=Users,dc=mydomain,dc=com,dc=br -W -x > /dev/null Thu Apr 24 14:07:35 BRT 2008 Enter LDAP Password: 2.95s real 0.55s user 0.06s system
Thank you for the hint!
Regards, Alexandre
hi , I want to know how javaldap SPML and DSML functionality are used . Incase if they are not used we can move away from them in the next release .Want to know your opinion .
Any suggestions and ideas to move the product ahead are welcome .
regards Arpit
Rastogi Arpit wrote:
I want to know how javaldap SPML and DSML functionality are used . Incase if they are not used we can move away from them in the nextrelease .Want to know your opinion .
I use com.novell.ldap.util.DSMLWriter to express entries as DSML (v1). I don't see an argument to deprecate that class unless the functionality is replaced; it seems more natural to collect implementations of interfaces LDAPWriter and LDAPReader rather than discard functional ones.
Otherwise that's it. I never had an interest in SPML.
Any suggestions and ideas to move the product ahead are welcome .
The most squirrelly bugs I recall had to do with the connection pool class. I find connection pools to be of great utility, and think the package would benefit from a robust class here. The Novell implementation is more sophisticated than the Netscape/Sun/Mozilla strain. That's a good thing so long as it's still thoroughly reliable.
Jon Roberts www.mentata.com
openldap-software@openldap.org
-
Aaron Richton -
Alexandre Biancalana -
Jon Roberts -
Rastogi Arpit