OpenLDAP with small directory veeerryyy slow!
hi folks. i got a problem with my openldap server (v.2.1.17) running on an suse 8.2 machine. the directory is mainly used for users to log on from other linux workstations. a samba server is using the directory, too. the directory has just about 20 entries, inlcuding 4 ou's. then, about 1 month ago after a server-reboot the ldap made problems. it became very slow. f.e: when i try to log to the server via ssh, it takes about 30 sec for user authentication. it goes like that: i type the username, and then it takes about 30s after prompting for the password before i can go on. the same situation when logging on to a imap or pop3 account. it's always the same: it takes so much time to give the user authentication. i tried to reinstall the openldap and reimport the directory, but still the same situation. the only thing i could do, was to remove a few entries to keep on working. but i cannot explain this to me, because i can't remember that i have changed anything. maybe one of you could help me....
my directory used to be about a 100 entrys but each entry that i add slows the authentification even more down.

What indexes do you have on your directory. If you index some posixAccount attributes such as uidNumber, gidNumber, it may speed up your authentication. What does your slapd.conf file look like.

I'm sorry, answering took a long time, but this is what my slapd.conf looks like....
To be honest I don't know if I even have Indexes, how do I find out ?
Thank you so far...


# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
# include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args

# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy is:
# Allow read by all
#
# rootdn can always write!

#######################################################################
# ldbm database definitions
#######################################################################

database bdb
suffix "dc=mydc,dc=de"
rootdn "cn=Manager,dc=mydc,dc=de"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw mypassw
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq

It looks like you don't have any indexes set.

# Indices to maintain
index objectClass eq

Indexes help speed up searching the directory. It looks like you are throwing samba into the mix. My indexes look like:

You need to index attributes that the system will search frequently such as uid, uidNumber, gid, etc.

Mine is not perfect and I am still tweaking my directory. Doing a "group sid" takes forever and gives erroneous results. I need to work on that.

You mentioned IMAP. What IMAP and POP3 packages are you using? I want to set up a Cyrus email server that does LDAP authentication, but I can't seem to get it set up to authenticate against ldap. I can only get it to work with the sasldb2 database and what's the point since LDAP is supposed to centralize authentication.

The results I get from other newsgroups are for old versions of cyrus and the say you have to patch the software.

Anyway, try the indexes and let me know what happens.

You should probably have a little protection on the password fields; looks to me like anyone can pull all your passwords just by connecting to your LDAP port. And that NT-LM password hash is *trivially* crackable. Try:

access to attrs=userPassword
by self write
by anonymous auth
by * none

access to attrs=lmPassword,ntPassword
by self write
by anonymous auth
by * none

All the lines above that begin with "by" have white space in front of them, but I think the forum software is going to strip them out, thereby breaking the syntax. We'll see.

My indexes look like this:

index default pres,eq
index objectClass,uid,uidNumber,gidNumber
index l,ou,telephonenumber,memberUid
index cn,mail,surname,givenname pres,eq,subinitial
index mailLocalAddress pres,eq
index rid,ntPassword eq

Thank you, I set up some Indexes and it works a lot faster now.
But is there some kind of documentation on those Indexes? Because the
only thing I found was a very small section in the openldap.org manual.

to your question:
I'm using the standart SuSE imap package, that comes with the distro.
It uses the system users for mail. I tried cyrus imap before but it didn't
work either.