Hi,
I work in a company that has 140,000 registered users in OpenLDAP. This OpenLDAP is used for authentication of our internal systems. In our tree of groups we have the systems and below the each system there are the groups' authorization (systems profiles). The user is bound in each group according to position, function and department in the company.
When a user replaces another user hierarchically higher, this user is taken from the respective group (that he belonged) and registered in user_group with the highest hierarchy.
This movement in the company is very common, and this is the cause of our problems.
We have a group with 50,000 registered users, and when we need to delete a user of that group or add a new one, OpenLADP takes up to 6 minute to effect the transaction.
We have a tool (BMC Identity Management (formerly Control-SA)) that automates the transactions, but due to delay in the transactions are with a row of 100,000 operations of insert / delete to perform.
I wonder if you have any way to improve the performance of OpenLDAP for these write operations.
The OpenLDAP version is 2.4.40.
Thanks,
Alessandro Lasmar Mourão
Below is our slapd.conf:
##############################################
serverID 2
idletimeout 0
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/ldap.schema
include /etc/ldap/schema/ppolicy.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 256
modulepath /usr/lib/ldap/
moduleload back_mdb
moduleload back_monitor
moduleload memberof
moduleload ppolicy
moduleload syncprov
moduleload refint
moduleload accesslog
sizelimit 250
tool-threads 16
password-hash {SSHA}
monitoring true
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCertificateFile /etc/ssl/certs/servercrt.pem
TLSCertificateKeyFile /etc/ssl/certs/serverkey.pem
backend mdb
database config
rootdn "cn=admin,cn=config"
rootpw secret
monitoring true
database monitor
rootdn "cn=admin,cn=monitor"
rootpw secret
monitoring true
database mdb
suffix "cn=accesslog"
rootdn "cn=admin,cn=accesslog"
rootpw secret
maxsize 1073741824
monitoring true
directory "/var/lib/ldap/intranet/log"
index default eq,pres,sub
index entryCSN eq,pres
index objectClass,reqEnd eq,pres
index reqResult,reqStart eq,pres
limits dn.exact="uid=replication,ou=Users,o=company" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
access to *
by dn.base="uid=replication,ou=Users,o=company" read
by * break
database mdb
suffix "o=company"
rootdn "cn=admin,o=company"
rootpw secret
maxsize 4294967296
monitoring true
overlay ppolicy
ppolicy_use_lockout
ppolicy_hash_cleartext
ppolicy_default "cn=default,ou=policy,o=company"
overlay memberof
memberof-group-oc groupOfUniqueNames
memberof-member-ad uniqueMember
memberof-refint true
overlay refint
refint_attributes uniqueMember
overlay accesslog
logdb "cn=accesslog"
logops writes
logsuccess TRUE
logpurge 07+00:00 01+00:00
limits dn.exact="uid=replication01,ou=Users,o=company" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited
limits dn.exact="uid=replication02,ou=Users,o=company" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited
limits dn.exact="uid=replication03,ou=Users,o=company" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited
limits dn.exact="uid=replication04,ou=Users,o=company" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited
overlay syncprov
syncprov-checkpoint 1000 20
syncprov-sessionlog 10000
syncrepl rid=100
provider=ldap://10.192.184.195:389
searchbase="o=company"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
type=refreshAndPersist
retry="60 +"
scope=sub
schemachecking=on
bindmethod=simple
binddn="uid=replication01,ou=Users,o=company"
credentials=secret
mirrormode true
directory "/var/lib/ldap/intranet"
directory "/var/lib/ldap/intranet"
index objectClass eq,pres
index uniqueMember,memberof eq,pres
index nu-cpf,nu-cnpj eq,pres
index dt-nascimento pres
index entryUUID,entryCSN eq,pres
index uid,ou,cn,sn,mail eq,pres,sub
index default,givenname eq,pres,sub
lastmod on
checkpoint 1024 10
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,o=company" write
by dn.exact="uid=replica01,ou=Users,o=company" read
by dn.exact="uid=replica02,ou=Users,o=company" read
by dn.exact="uid=replica03,ou=Users,o=company" read
by dn.exact="uid=replica04,ou=Users,o=company" read
by anonymous auth
by self write
by * none
access to *
by dn="cn=admin,o=company" write
by * read