Le 07/06/2018 à 20:18, Mark Tilmes a écrit :

LDAP list,


Hello Mark,


I have been trying to figure out this problem for a few weeks, I have been reading the archives and searching google to no avail.

 

We have a high load at the beginning of every minute due to automated processes authenticating.  During this time, authentications take from about 5 seconds to as much as 12 seconds.  I can even run an ldapwho command directly on the ldap server and see the slowness.

 Looking at netstat, there are as many as 500 connections coming in to each server around that time.  The load has been processed within 20 seconds.

 

Here is some info on what I am running:

RHEL 6.9 os

Openldap 2.4.40 from the RHEL rpm



I think the first thing to answer is: you are running an old version, please upgrade. You can stay on RHEL 6.9 if you need to, but you should use a recent version of OpenLDAP, for example with LTB packages: https://ltb-project.org/documentation/openldap-rpm


 

These systems have 16 cpu’s but they are ~90% idle.  The ldap database is on mdb, it is 52M.  There are 3657 entries.


The systems have 32G of memory each, after buffers and cache, 12G is free.  I think just about everything this system does for disk is cached in memory.

The only other thing running on these servers is dns and ntp, but when we turn those off, we still see the slowness.

See below for my openldap configuration.


I am trying to figure out if this is an unreasonable load for these servers and I just need more servers, or if there is some tuning I can do to help with this?

 

When I look at cn=threads,cn=monitor I see active threads go up to 16 and pending threads go up to 127 or so.

I increased threads but saw a similar result, all threads are active, many are still pending.

When increasing threads to 128, I ended up with this error message:

mdb_opinfo_get: err MDB_READERS_FULL: Environment maxreaders limit reached(-30790)

I'm not sure what I can do about that.

I'm also not sure if I also need to increase listener threads?  Seems like not since the threads are all active during the traffic burst.


We have 4 ldap servers, one handles writes and then syncs to the other 3, so there are no writes on the other 3, and very few writes on the master, just when we add users or change group memberships which is infrequent, just a few times a month.

 

Any advice is appreciated.

 



You are using mdb backend but it is not loaded in cn=modules. Did you recompile slapd to have mdb in slapd binary?

MDB backend is very performant by default, but you can tune it with some options like maxreaders or envflags.

-- 
Clément Oudot | Identity Solutions Manager

clement.oudot@worteks.com


Worteks | https://www.worteks.com