Index seems to return wrong amount of candidate causing really poor search performance
by chrichardso27@gmail.com
Hi,
Considering the following assumptions;
- OpenLDAP version 2.4.51
- attributes objectClass and abc are indexed based on equality
- the EQUALITY of attribute abc is based on distinguishedNameMatch
- The database contains roughly 2 million entries
- 2 entries have defined the attribute abc with a dn value cn=foo,dc=bar and objectClass=someClass
- 2 entries have defined the attribute abc with a dn value cn=bar,dc=baz and objectClass=someClass
Now, the issue started with really slow search performance using objectClass=someClass & abc=cn=foo,dc=bar as filter criteria. Debugging a while seems to indicate that the objectClass filter returns roughly 2 million entries as candidates. Now, one would expect that the second filter would return only the 2 potential candidates from the abc index, or a subset of the whole database but this is not the case. The second filter also returns nearly the whole database entries as potential candidates and causes really slow query performance. Interestingly, this only occurs when attribute abc has value cn=foo,dc=bar, but for some reason for the entry having attribute abc with value cn=bar,dc=baz the query returns immediately. In both cases, the actual entries matching the search return immediately but for the problematic search "(&(objectClass=someClass)(abc=cn=foo,dc=bar))", the completion of the search takes a long time (around 15 seconds to be precise).
The issue started suddenly and wasn't a degradation of query performance over time.
Few things I have tried
- Rebuilt the whole database again
- Reindex the existing database again
- Testing with bdb and mdb as backends
- Increased cache sizes for bdb to hold the whole database in cache
- For bdb adjust the page size of the indexes according to suggestion by db_tuner
- Change the order of the filters
None of these made any difference. At the moment, there does not seem to be any good options to try. Any ideas or help would be greatly appreciated!
1 year, 3 months
multival member ...
by Michael Ströder
HI!
Experimenting with 2.5.4 I wonder what are reasonable values for
applying multival to attribute 'member' in group entries.
I guess this depends on length of member DN values. Is there a clear way
to calculate this? Or how to find out the effect of current settings.
Ciao, Michael.
P.S.: Yes, I know I have to reload the database when adding multival
config option.
1 year, 7 months
Groups and accesses
by Клеусов Владимир Сергеевич
Hi, there was an idea to use OpenLDAP as an address book for mail.
Tell me the idea of how to make it so that there are two groups. The members of one see all of them (i.e. the general address book) and only the admin edits them. The members of the other are only seen and edited by the owner (i.e. the personal address book)
1 year, 7 months
Unable to delete root entry
by Николай Данилов
When installing openldap with database mdb, root entry cannot be deleted.
Tested on systems:
OS Linux Debian 10, slapd 2.4.57+dfsg-2
Arch Linux, openldap 2.4.58-1
Oracle Linux 8, openldap 2.4.58 (from source)
The root entry was created by the command:
ldapadd -x -D 'cn=admin,dc=example,dc=org' -f root_entry.ldif
Content of the root_entry.ldif file:
dn: dc=example,dc=org
objectClass: dcObject
objectClass: organization
dc: example
o: Example
description: Example directory
dn: cn=root,dc=example,dc=org
objectClass: organizationalRole
cn: root
description: Directory Manager
Trying to delete the root entry:
ldapdelete -x -r 'dc=example,dc=org' -D 'cn=admin,dc=example,dc=org' -w admin
Output - ldap_delete: No such object (32)
How can I delete the root entry and create a new one with other structural objectclasses?
1 year, 7 months
OpenLDAP 2.5 Release Candidate Testing (OpenLDAP 2.5.4)
by Quanah Gibson-Mount
This is a testing call for OpenLDAP 2.5 Release Candidate (OpenLDAP 2.5.4)
Depending on the results, this may be the only testing call.
Generally, get the code for RE25:
<https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5...>
Extract, configure, and build.
Execute the test suite (via make test) after it is built. Optionally, cd
tests && make its to run through the regression suite.
Note that there are new features in 2.5, so please examine the options
available with configure carefully. Some examples:
The new load balancer, which can either be built as a module for slapd
(--enable-balancer=mod) or as a standalone server (--enable-balancer=yes)
The libargon2 password module (--enable-argon2).
Systemd notification support (--with-systemd=yes).
Thanks!
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
1 year, 7 months
Best way to secure LDAP to public Server
by work@seyboldt.org
Hey,
i need to open my LDAP-Directory to a public available Server.
What is the best secure way to connect my LDAP-Server to my Public server?
I thought about a proxy to my Firewall there I could specify requests to my LDAP-Server, or is there a better or an official way to do this?
Thanks,
RMs3Q
1 year, 7 months
Config files & env vars not read when geteuid() != getuid()
by Norm Green
Hello LDAP users and maintainers,
libraries/libldap/init.c has this code which bypasses read all LDAP
config env vars when the exe loadlig libldap is running in setuid mode.
This is causing problems for one of our customers who routinely run our
product Linux executables (which load our libldap) in setuid mode for
legitimate purposes.
Since we have the source, we can and may change this code.
In our case, customer wants to set env var LDAPCONF to point at a
non-default conf file but is unable to do so. In fact this code bypasses
almost all ways an alternate config file can be read.
Even $HOME/ldap.conf is not read.
My question here is should this code be considered a bug and changed to
be less restrictive? I fully appreciate there should be restrictions
when in setuid mode but the current code seems too restrictive.
init.c:
686
687 openldap_ldap_init_w_sysconf(LDAP_CONF_FILE);
688
689 #ifdef HAVE_GETEUID
690 if ( geteuid() != getuid() )
691 goto done;
692 #endif
693
694 openldap_ldap_init_w_userconf(LDAP_USERRC_FILE);
695
Norm Green
GemTalk Systems LLC
1 year, 7 months
default config file
by Rallavagu Kon
Hello All,
Noticing a difference in behavior of locating config file at the time of startup between 2.4.48 and 2.4.58.
The 2.4.48 is a ubuntu supplied package while 2.4.58 is compiled with following options.
./configure --prefix=/opt/openldap \
--sysconfdir=/etc/ldap \
--localstatedir=/opt/openldap/var \
--libexecdir=/opt/openldap/lib \
--disable-static \
--enable-debug \
--with-tls=openssl \
--with-cyrus-sasl \
--enable-dynamic \
--enable-crypt \
--enable-spasswd \
--enable-slapd \
--enable-modules \
--enable-rlookups \
--enable-backends=mod \
--disable-ndb \
--disable-sql \
--disable-shell \
--disable-bdb \
--disable-hdb \
--enable-overlays=mod
When started the slaps in debug mode, I see the following for 2.4.48
6077b590 backend_startup_one: starting "cn=config"
6077b590 ldif_read_file: read entry file: "/etc/ldap/slapd.d/cn=config.ldif”
Essentially, looking for “cn=config”. However, after replacing the binaries with compiled version for 2.4.58,
6077b37d could not stat config file "/etc/ldap/slapd.d/slapd.conf": No such file or directory (2)
I clearly notice that existing configuration file(s) are not considered with 2.4.58. Wondering what is the difference and how can I use the existing configuration files.
Thanks
1 year, 7 months
Re: performance tuning for n-way and heavy client load
by Zetan Drableg
>> >> Do you have a lot of large groups that you frequently update?
>> >
>> > Yes we have several groups with ~40k users from which we frequently
>> > add/remove users based on upstream user provisioning workflows.
>>
>> Are you replacing the entire group when you do that, or only
>> adding/deleting specific users?
>>
>> Either way, for 2.4 you definitely want to use sortvals. Likely what you
>> need is OpenLDAP 2.5's multival feature as well.
We incrementally insert users and group memberships instead of
replacing the entire group every time.
This mailing list helped me discover that "sortvals member" improved
performance of single record inserts, but didn't help the overall
problem.
Why do excess free pages in MDB impact performance when inserting new data?
On Fri, Apr 16, 2021 at 11:05 AM Quanah Gibson-Mount <quanah(a)symas.com> wrote:
>
> --On Friday, April 16, 2021 12:01 PM -0700 Zetan Drableg
> <zetan.drableg(a)gmail.com> wrote:
>
> >> Do you have a lot of large groups that you frequently update?
> >
> > Yes we have several groups with ~40k users from which we frequently
> > add/remove users based on upstream user provisioning workflows.
>
> Are you replacing the entire group when you do that, or only
> adding/deleting specific users?
>
> Either way, for 2.4 you definitely want to use sortvals. Likely what you
> need is OpenLDAP 2.5's multival feature as well.
>
> Regards,
> Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
1 year, 7 months
