openldap-technical November 2017

openldap-technical@openldap.org

32 participants
47 discussions

disk write on old 2.4.9
by richard lucassen 08 Nov '17

08 Nov '17

Hello list, I have an ***old*** Ubuntu-8.04 running 2.4.9. I know, this is old, but there are no security issues here. This slapd contains a small database which is modified rarely. OTOH, there are many read operations. The backend is hdb. As these boxes are running on a CF-disk I'd like to limit disk writes, but when the database is queried, the backend is being updated (slapd started at 11:25, read operation at 11:31): # ls -altr /var/lib/ldap/ total 768 drwxr-xr-x 3 root root 4096 2013-11-11 20:28 .. -rw-r--r-- 1 openldap openldap 96 2017-11-08 09:36 DB_CONFIG -rw------- 1 openldap openldap 8192 2017-11-08 11:25 objectClass.bdb -rw------- 1 openldap openldap 8192 2017-11-08 11:25 dn2id.bdb -rw------- 1 openldap openldap 123193 2017-11-08 11:25 log.0000000001 -rw------- 1 openldap openldap 65536 2017-11-08 11:25 id2entry.bdb drwx------ 2 openldap openldap 4096 2017-11-08 11:25 . -rw-r--r-- 1 openldap openldap 2048 2017-11-08 11:25 alock -rw------- 1 openldap openldap 24576 2017-11-08 11:31 __db.005 -rw------- 1 openldap openldap 565248 2017-11-08 11:31 __db.004 -rw------- 1 openldap openldap 98304 2017-11-08 11:31 __db.003 -rw------- 1 openldap openldap 2629632 2017-11-08 11:31 __db.002 -rw------- 1 openldap openldap 8192 2017-11-08 11:31 __db.001 Is there a way to limit these disk writes? I didn't touch the standard Ubuntu settings, except for the usual settings like SSL. Richard. -- richard lucassen http://contact.xaq.nl/

1 1

Re: NO-USER-MODIFICATION and USAGE dSAOperation in custom schema
by Howard Chu 06 Nov '17

06 Nov '17

Michael Ströder wrote: > HI! > > Why is it not allowed to use > > NO-USER-MODIFICATION > USAGE dSAOperation > > in an attribute type declaration? Because such an operational attribute requires server-side code to actually implement it, and you haven't got any means to provide that code. Custom operational attributes must be defined using code loaded in a module. > > For OATH-LDAP I'd like to define a "virtual" attribute (actually to be > processed by back-sock listener) without having to write a slapd overlay. > > attributetype ( oath-ldap-at:16 > NAME 'oathOTPValue' > DESC 'OATH-LDAP: currently valid OTP value of a token' > X-ORIGIN 'OATH-LDAP' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 > EQUALITY integerMatch > SINGLE-VALUE ) > NO-USER-MODIFICATION > USAGE dSAOperation ) > > But slapd refuses to start: > > 5a00641b /home/michael/Proj/oath-ldap/oath-ldap.schema: line 241 > (attributetype ( oath-ldap-at:16 NAME 'oathOTPValue' DESC 'OATH-LDAP: > currently valid OTP value of a token or associated user entry (not > directly used)' X-ORIGIN 'OATH-LDAP' SYNTAX > 1.3.6.1.4.1.1466.115.121.1.27 EQUALITY integerMatch SINGLE-VALUE > NO-USER-MODIFICATION USAGE dSAOperation )) > 5a00641b /home/michael/Proj/oath-ldap/oath-ldap.schema: line 241 > attributetype: "oath-ldap-at:16" is operational > > Ciao, Michael. > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 3

NO-USER-MODIFICATION and USAGE dSAOperation in custom schema
by Michael Ströder 06 Nov '17

06 Nov '17

HI! Why is it not allowed to use NO-USER-MODIFICATION USAGE dSAOperation in an attribute type declaration? For OATH-LDAP I'd like to define a "virtual" attribute (actually to be processed by back-sock listener) without having to write a slapd overlay. attributetype ( oath-ldap-at:16 NAME 'oathOTPValue' DESC 'OATH-LDAP: currently valid OTP value of a token' X-ORIGIN 'OATH-LDAP' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 EQUALITY integerMatch SINGLE-VALUE ) NO-USER-MODIFICATION USAGE dSAOperation ) But slapd refuses to start: 5a00641b /home/michael/Proj/oath-ldap/oath-ldap.schema: line 241 (attributetype ( oath-ldap-at:16 NAME 'oathOTPValue' DESC 'OATH-LDAP: currently valid OTP value of a token or associated user entry (not directly used)' X-ORIGIN 'OATH-LDAP' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 EQUALITY integerMatch SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )) 5a00641b /home/michael/Proj/oath-ldap/oath-ldap.schema: line 241 attributetype: "oath-ldap-at:16" is operational Ciao, Michael.

1 0

Re: Load testing bind performance
by Tim 03 Nov '17

03 Nov '17

No.. unfortunately not... :) I was/am grasping at straws a little bit currently and just tweaking things one setting at a time to see if I can see any difference - admittedly, increasing threads has not improved the situation at all. -- Tim On Fri, Nov 3, 2017 at 3:44 PM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Friday, November 03, 2017 1:11 PM +0000 Tim <tim(a)yetanother.net> > wrote: > > olcThreads: 512 >> > > You have 128 cores on your box? More threads != better performance. In > fact, it will cause significant problems if it is set beyond what your > system can handle. > > > --Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > > -- Tim tim(a)yetanother.net

2 1

Load testing bind performance
by Tim 03 Nov '17

03 Nov '17

Heya, Could anyone recommend a quick and dirty way in which to load test an OpenLDAP service to get an indication as to the potential capacity for the platform to handle bind requests? I've used the python-ldap library to simulate other varieties of interactions successfully, but when it comes to binds, each interaction seems to generate a substantial amount of traffic behind the scenes, so suspect that *things* are happening that is artificially limiting the bind rate/s. I've seen some links to people using JMeter to perform this sort of load testing, but thought there may be other (quicker to implement) tools also? Thanks in advance, -- Tim tim(a)yetanother.net

4 8

Re: Load testing bind performance
by Quanah Gibson-Mount 03 Nov '17

03 Nov '17

--On Friday, November 03, 2017 1:11 PM +0000 Tim <tim(a)yetanother.net> wrote: > olcThreads: 512 You have 128 cores on your box? More threads != better performance. In fact, it will cause significant problems if it is set beyond what your system can handle. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Load testing bind performance
by Howard Chu 01 Nov '17

01 Nov '17

Tim wrote: > Heya, > > Could anyone recommend a quick and dirty way in which to load test an OpenLDAP > service to get an indication as to the potential capacity for the platform to > handle bind requests? > > I've used the python-ldap library to simulate other varieties of interactions > successfully, but when it comes to binds, each interaction seems to generate a > substantial amount of traffic behind the scenes, so suspect that *things* are > happening that is artificially limiting the bind rate/s. > > I've seen some links to people using JMeter to perform this sort of load > testing, but thought there may be other (quicker to implement) tools also? You can look at slapd-bind and slapd-auth in the OpenLDAP test suite, that's what they're for. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2017