Le 07/06/2018 à 20:18, Mark Tilmes a écrit :
LDAP list,
Hello Mark,
I have been trying to figure out this problem for a few weeks, I have
been reading the archives and searching google to no avail.
We have a high load at the beginning of every minute due to automated
processes authenticating. During this time, authentications take from
about 5 seconds to as much as 12 seconds. I can even run an ldapwho
command directly on the ldap server and see the slowness.
Looking at netstat, there are as many as 500 connections coming in to
each server around that time. The load has been processed within 20
seconds.
Here is some info on what I am running:
RHEL 6.9 os
Openldap 2.4.40 from the RHEL rpm
I think the first thing to answer is: you are running an old version,
please upgrade. You can stay on RHEL 6.9 if you need to, but you should
use a recent version of OpenLDAP, for example with LTB packages:
https://ltb-project.org/documentation/openldap-rpm
These systems have 16 cpu’s but they are ~90% idle. The ldap database
is on mdb, it is 52M. There are 3657 entries.
The systems have 32G of memory each, after buffers and cache, 12G is
free. I think just about everything this system does for disk is
cached in memory.
The only other thing running on these servers is dns and ntp, but when
we turn those off, we still see the slowness.
See below for my openldap configuration.
I am trying to figure out if this is an unreasonable load for these
servers and I just need more servers, or if there is some tuning I can
do to help with this?
When I look at cn=threads,cn=monitor I see active threads go up to 16
and pending threads go up to 127 or so.
I increased threads but saw a similar result, all threads are active,
many are still pending.
When increasing threads to 128, I ended up with this error message:
mdb_opinfo_get: err MDB_READERS_FULL: Environment maxreaders limit
reached(-30790)
I'm not sure what I can do about that.
I'm also not sure if I also need to increase listener threads? Seems
like not since the threads are all active during the traffic burst.
We have 4 ldap servers, one handles writes and then syncs to the other
3, so there are no writes on the other 3, and very few writes on the
master, just when we add users or change group memberships which is
infrequent, just a few times a month.
Any advice is appreciated.
You are using mdb backend but it is not loaded in cn=modules. Did you
recompile slapd to have mdb in slapd binary?
MDB backend is very performant by default, but you can tune it with some
options like maxreaders or envflags.
--
Clément Oudot | Identity Solutions Manager
clement.oudot(a)worteks.com
Worteks |
https://www.worteks.com