Hello,
I am experiencing a bit of an issue with mdb network traffic. When I request large queries (entire subtrees) from remote hosts my searches take hundreds of times longer to complete than they do if I search on the local machine (in all expect for one case).
I have attempted to tune the kernel network settings, adjusted tx buffer sizes all to no avail.
Just before turning to this list i gave one last shot in the dark attempt running my query using the rootDN. This produced the expected results.
When queried with a typical account DN my system was transmitting around 2.0Mbps to the remote client. When queried with the rootDN my system was transmitting around 100Mbps to the client.
The system has an olcLimits rule allowing unlimited time and size to the account "typical account" I was testing with. ' olcLimits: dn.children="ou=accounts,dc=example,dc=com" time=unlimited size=unlimited '
Clearly the server is capable of serving data to the remote machine at 100Mbps (given that the rootDN has done so)
I cannot for the life of me find a configuration option or setting would should be impacting the transmission bandwidth of searches. Any help or advice of where I should be looking would be greatly appreciated. I have included the relevant cn=config information below.
Thank you, -Russell J. Jancewicz University of Connecticut
OpenLDAP: slapd 2.4.36 (Sep 19 2013 11:16:48) $
dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbDirectory: /srv/ldap/example.com olcSuffix: dc=example,dc=com # ... olcAccess olcLimits: {0}dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" time=unlimited size=unlimited olcLimits: {1}dn.children="ou=accounts,dc=example,dc=com" time=unlimited size=unlimited olcRootDN: cn=root,dc=example,dc=com olcDbCheckpoint: 512 30 olcDbNoSync: FALSE olcDbMaxSize: 8589934592
--On Wednesday, November 06, 2013 6:48 PM +0000 "Jancewicz, Russell" russell.jancewicz@uconn.edu wrote:
Just before turning to this list i gave one last shot in the dark attempt running my query using the rootDN. This produced the expected results.
When queried with a typical account DN my system was transmitting around 2.0Mbps to the remote client. When queried with the rootDN my system was transmitting around 100Mbps to the client.
The rootdn bypasses all ACL evaluation. Do you have complex ACLs?
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On Nov 6, 2013, at 14:26, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Wednesday, November 06, 2013 6:48 PM +0000 "Jancewicz, Russell" russell.jancewicz@uconn.edu wrote:
Just before turning to this list i gave one last shot in the dark attempt running my query using the rootDN. This produced the expected results.
When queried with a typical account DN my system was transmitting around 2.0Mbps to the remote client. When queried with the rootDN my system was transmitting around 100Mbps to the client.
The rootdn bypasses all ACL evaluation. Do you have complex ACLs?
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra, Inc.
Zimbra :: the leader in open source messaging and collaboration
The system currently has around 30 olcAccess stanzas, the majority of which utilize the set notation to grant access based on groups. I decided it might be wise to test the speed of the search using ldapi:/// and the account and it does appear to suffer from the same latency issues, so I this does likely stem from ALCs.
Is there any cpu tuning or ACL tuning I should do to improve the overall response time? I haven't adjusted the stock threads and am running on a virtual machine with 2 VCPUs (though i suspect a single request would only spawn a single thread). with regard to ACLs would it be better to use groups or individual olcAccess lines per account?
-Russell J. Jancewicz University of Connecticut
--On Wednesday, November 06, 2013 7:58 PM +0000 "Jancewicz, Russell" russell.jancewicz@uconn.edu wrote:
The system currently has around 30 olcAccess stanzas, the majority of which utilize the set notation to grant access based on groups. I decided it might be wise to test the speed of the search using ldapi:/// and the account and it does appear to suffer from the same latency issues, so I this does likely stem from ALCs.
set notation is extremely inefficient for ACL evaluation. I would suggest rewriting your ACLs to not use sets.
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
My very first guess is that openLDAP does access checking for every entry and attribute that matches your filter criteria. rootDN is probably checked first and fastest...
"Jancewicz, Russell" russell.jancewicz@uconn.edu schrieb am 06.11.2013 um
19:48 in Nachricht 50804E7D-6AEB-4480-8B45-FB24E35014CC@ad.uconn.edu:
Hello,
I am experiencing a bit of an issue with mdb network traffic. When I request large queries (entire subtrees) from remote hosts my searches take hundreds of times longer to complete than they do if I search on the local machine (in all expect for one case).
I have attempted to tune the kernel network settings, adjusted tx buffer sizes all to no avail.
Just before turning to this list i gave one last shot in the dark attempt running my query using the rootDN. This produced the expected results.
When queried with a typical account DN my system was transmitting around 2.0Mbps to the remote client. When queried with the rootDN my system was transmitting around 100Mbps to the client.
The system has an olcLimits rule allowing unlimited time and size to the account "typical account" I was testing with. ' olcLimits: dn.children="ou=accounts,dc=example,dc=com" time=unlimited size=unlimited '
Clearly the server is capable of serving data to the remote machine at 100Mbps (given that the rootDN has done so)
I cannot for the life of me find a configuration option or setting would should be impacting the transmission bandwidth of searches. Any help or advice of where I should be looking would be greatly appreciated. I have included the relevant cn=config information below.
Thank you, -Russell J. Jancewicz University of Connecticut
OpenLDAP: slapd 2.4.36 (Sep 19 2013 11:16:48) $
dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbDirectory: /srv/ldap/example.com olcSuffix: dc=example,dc=com # ... olcAccess olcLimits: {0}dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" time=unlimited size=unlimited olcLimits: {1}dn.children="ou=accounts,dc=example,dc=com" time=unlimited size=unlimited olcRootDN: cn=root,dc=example,dc=com olcDbCheckpoint: 512 30 olcDbNoSync: FALSE olcDbMaxSize: 8589934592
openldap-technical@openldap.org