Hi,
I work in a company that has 140,000 registered users in OpenLDAP. This OpenLDAP is used for authentication of our internal systems. In our tree of groups we have the systems and below the each system there are the groups' authorization (systems profiles). The user is bound in each group according to position, function and department in the company. When a user replaces another user hierarchically higher, this user is taken from the respective group (that he belonged) and registered in user_group with the highest hierarchy. This movement in the company is very common, and this is the cause of our problems. We have a group with 50,000 registered users, and when we need to delete a user of that group or add a new one, OpenLADP takes up to 6 minute to effect the transaction. We have a tool (BMC Identity Management (formerly Control-SA)) that automates the transactions, but due to delay in the transactions are with a row of 100,000 operations of insert / delete to perform. I wonder if you have any way to improve the performance of OpenLDAP for these write operations. The OpenLDAP version is 2.4.40.
Thanks,
Alessandro Lasmar MourĂ£o
Below is our slapd.conf:
############################################## serverID 2 idletimeout 0 include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/ldap.schema include /etc/ldap/schema/ppolicy.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 256 modulepath /usr/lib/ldap/ moduleload back_mdb moduleload back_monitor moduleload memberof moduleload ppolicy moduleload syncprov moduleload refint moduleload accesslog sizelimit 250 tool-threads 16 password-hash {SSHA} monitoring true TLSCACertificateFile /etc/ssl/certs/cacert.pem TLSCertificateFile /etc/ssl/certs/servercrt.pem TLSCertificateKeyFile /etc/ssl/certs/serverkey.pem backend mdb database config rootdn "cn=admin,cn=config" rootpw secret monitoring true database monitor rootdn "cn=admin,cn=monitor" rootpw secret monitoring true database mdb suffix "cn=accesslog" rootdn "cn=admin,cn=accesslog" rootpw secret maxsize 1073741824 monitoring true directory "/var/lib/ldap/intranet/log" index default eq,pres,sub index entryCSN eq,pres index objectClass,reqEnd eq,pres index reqResult,reqStart eq,pres limits dn.exact="uid=replication,ou=Users,o=company" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE access to * by dn.base="uid=replication,ou=Users,o=company" read by * break database mdb suffix "o=company" rootdn "cn=admin,o=company" rootpw secret maxsize 4294967296 monitoring true overlay ppolicy ppolicy_use_lockout ppolicy_hash_cleartext ppolicy_default "cn=default,ou=policy,o=company" overlay memberof memberof-group-oc groupOfUniqueNames memberof-member-ad uniqueMember memberof-refint true overlay refint refint_attributes uniqueMember overlay accesslog logdb "cn=accesslog" logops writes logsuccess TRUE logpurge 07+00:00 01+00:00 limits dn.exact="uid=replication01,ou=Users,o=company" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited limits dn.exact="uid=replication02,ou=Users,o=company" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited limits dn.exact="uid=replication03,ou=Users,o=company" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited limits dn.exact="uid=replication04,ou=Users,o=company" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited overlay syncprov syncprov-checkpoint 1000 20 syncprov-sessionlog 10000 syncrepl rid=100 provider=ldap://10.192.184.195:389 searchbase="o=company" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" type=refreshAndPersist retry="60 +" scope=sub schemachecking=on bindmethod=simple binddn="uid=replication01,ou=Users,o=company" credentials=secret mirrormode true directory "/var/lib/ldap/intranet" directory "/var/lib/ldap/intranet" index objectClass eq,pres index uniqueMember,memberof eq,pres index nu-cpf,nu-cnpj eq,pres index dt-nascimento pres index entryUUID,entryCSN eq,pres index uid,ou,cn,sn,mail eq,pres,sub index default,givenname eq,pres,sub lastmod on checkpoint 1024 10 access to attrs=userPassword,shadowLastChange by dn="cn=admin,o=company" write by dn.exact="uid=replica01,ou=Users,o=company" read by dn.exact="uid=replica02,ou=Users,o=company" read by dn.exact="uid=replica03,ou=Users,o=company" read by dn.exact="uid=replica04,ou=Users,o=company" read by anonymous auth by self write by * none access to * by dn="cn=admin,o=company" write by * read