LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-03-2014, 09:18 AM   #1
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Rep: Reputation: 33
Ldap performance : help needed


Hello,

I have the following rules in /etc/openldap/slapd.conf for about 250 users (cust1 -> cust250).

This is an extract for user 'cust22' and user 'cust23' :

Code:
access to dn.regex="ou=tbook[12345],ou=contacten,ou=cust22,dc=mydomain" attrs=children
        by group.exact="cn=admins,ou=cust22,dc=mydomain" write
        by * none break

access to dn.one="ou=tbook1,ou=contacten,ou=cust22,dc=mydomain"
        by group.exact="cn=admins,ou=cust22,dc=mydomain" write
        by group.exact="cn=tbook1,ou=gebruikers,ou=cust22,dc=mydomain" read

access to dn.one="ou=tbook2,ou=contacten,ou=cust22,dc=mydomain"
        by group.exact="cn=admins,ou=cust22,dc=mydomain" write
        by group.exact="cn=tbook2,ou=gebruikers,ou=cust22,dc=mydomain" read

access to dn.one="ou=tbook3,ou=contacten,ou=cust22,dc=mydomain"
        by group.exact="cn=admins,ou=cust22,dc=mydomain" write
        by group.exact="cn=tbook3,ou=gebruikers,ou=cust22,dc=mydomain" read

access to dn.one="ou=tbook4,ou=contacten,ou=cust22,dc=mydomain"
        by group.exact="cn=admins,ou=cust22,dc=mydomain" write
        by group.exact="cn=tbook4,ou=gebruikers,ou=cust22,dc=mydomain" read

access to dn.one="ou=tbook5,ou=contacten,ou=cust22,dc=mydomain"
        by group.exact="cn=admins,ou=cust22,dc=mydomain" write
        by group.exact="cn=tbook5,ou=gebruikers,ou=cust22,dc=mydomain" read

access to dn.regex="ou=tbook[12345],ou=contacten,ou=cust23,dc=mydomain" attrs=children
        by group.exact="cn=admins,ou=cust23,dc=mydomain" write
        by * none break

access to dn.one="ou=tbook1,ou=contacten,ou=cust23,dc=mydomain"
        by group.exact="cn=admins,ou=cust23,dc=mydomain" write
        by group.exact="cn=tbook1,ou=gebruikers,ou=cust23,dc=mydomain" read

access to dn.one="ou=tbook2,ou=contacten,ou=cust23,dc=mydomain"
        by group.exact="cn=admins,ou=cust23,dc=mydomain" write
        by group.exact="cn=tbook2,ou=gebruikers,ou=cust23,dc=mydomain" read

access to dn.one="ou=tbook3,ou=contacten,ou=cust23,dc=mydomain"
        by group.exact="cn=admins,ou=cust23,dc=mydomain" write
        by group.exact="cn=tbook3,ou=gebruikers,ou=cust23,dc=mydomain" read

access to dn.one="ou=tbook4,ou=contacten,ou=cust23,dc=mydomain"
        by group.exact="cn=admins,ou=cust23,dc=mydomain" write
        by group.exact="cn=tbook4,ou=gebruikers,ou=cust23,dc=mydomain" read

access to dn.one="ou=tbook5,ou=contacten,ou=cust23,dc=mydomain"
        by group.exact="cn=admins,ou=cust23,dc=mydomain" write
        by group.exact="cn=tbook5,ou=gebruikers,ou=cust23,dc=mydomain" read

I notice that there is a huge lack of performance (slow response times) when over about 100 users. There are quite some access rules in slapd.conf at that time.

There is about 8 seconds between query and response :

Code:
Sep  3 14:57:05 slap01 slapd[12908]: conn=1001 fd=13 ACCEPT from IP=xx.xx.xx.xx:1046 (IP=0.0.0.0:389)
Sep  3 14:57:05 slap01 slapd[12908]: conn=1001 op=0 BIND dn="cn=Ucust23,ou=cust23,dc=mydomain" method=128
Sep  3 14:57:05 slap01 slapd[12908]: conn=1001 op=0 BIND dn="cn=Ucust23,ou=cust23,dc=mydomain" mech=SIMPLE ssf=0
Sep  3 14:57:05 slap01 slapd[12908]: conn=1001 op=0 RESULT tag=97 err=0 text=
Sep  3 14:57:05 slap01 slapd[12908]: conn=1001 op=1 SRCH base="dc=mydomain" scope=2 deref=0 filter="(&(telephoneNumber=*)(sn=t*))"
Sep  3 14:57:05 slap01 slapd[12908]: conn=1001 op=1 SRCH attr=cn sn telephoneNumber

Sep  3 14:57:13 slap01 slapd[12908]: conn=1001 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep  3 14:57:13 slap01 slapd[12908]: conn=1001 op=2 ABANDON msg=2
Sep  3 14:57:13 slap01 slapd[12908]: conn=1001 op=3 UNBIND
Sep  3 14:57:13 slap01 slapd[12908]: conn=1001 fd=13 closed

Question : how can I get a better performance ? How can I adapt my access rules for better performance ?


Thanks !
 
Old 09-04-2014, 10:55 PM   #2
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,713

Rep: Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279Reputation: 1279
It may depend on what kind of back end database you are using to store the data.

The database storage would be critical to that - I've seen thousands of records in LDAP with less than a second for response (and no, I don't know how many replicated servers there were, I wasn't the one configuring it).

Do you know how many concurrent queries you might be getting? (if not many, as would be the case for a test server, then the response rate should be consistent, if a lot, then I would expect a good bit of variability).

There is also whether you have indexes defined... If not, it may be using a linear search...

http://www.openldap.org/doc/admin24/...c%20Directives

Also check the size of the cache...

Last edited by jpollard; 09-04-2014 at 10:58 PM.
 
Old 09-05-2014, 07:45 AM   #3
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Hello,

backend database is the default :

Code:
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
The number of records is not what makes a difference here. It is clearly the definition of access rules. Fewer access rules makes LDAP faster response.
I have not altered the number of records, only the number of access rules in /etc/openldap/slapd.conf
and I notice with fewer access rules LDAP speeds up.

Number of concurrent queries : about 10

Index defined :

Code:
# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index telephoneNumber                   eq,pres,sub

Thank you for your feedback.
 
Old 09-22-2014, 05:45 AM   #4
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Any more feedback on this ?

It seems that when there is a query with filter "telephoneNumber" and a search for "cn sn" the search goes faster (no delay between query and answer) :

Code:
Sep 22 11:12:41 slap01 slapd[22668]: conn=3580 fd=13 ACCEPT from IP=my.pub.ip..add:54994 (IP=0.0.0.0:389)
Sep 22 11:12:42 slap01 slapd[22668]: conn=3580 op=0 BIND dn="cn=Ucust23,ou=cust23,dc=mydomain" method=128
Sep 22 11:12:42 slap01 slapd[22668]: conn=3580 op=0 BIND dn="cn=Ucust23,ou=cust23,dc=mydomain" mech=SIMPLE ssf=0
Sep 22 11:12:42 slap01 slapd[22668]: conn=3580 op=0 RESULT tag=97 err=0 text=
Sep 22 11:12:42 slap01 slapd[22668]: conn=3580 op=1 SRCH base="dc=mydomain" scope=2 deref=0 filter="(&(telephoneNumber=70470470*)(sn=*))"
Sep 22 11:12:42 slap01 slapd[22668]: conn=3580 op=1 SRCH attr=cn sn telephoneNumber
Sep 22 11:12:42 slap01 slapd[22668]: conn=3580 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 22 11:12:42 slap01 slapd[22668]: conn=3580 op=2 UNBIND
Sep 22 11:12:42 slap01 slapd[22668]: conn=3580 fd=13 closed
So how can I get the same speed (with no delay) when filter is "sn" ?

Thank you.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Performance monitoring help needed. pinga123 Linux - Newbie 9 08-17-2010 01:23 AM
Help needed for performance monitor pinga123 Linux - Newbie 1 01-08-2010 09:54 AM
Performance Tunning Guidence Needed ratul_11 Linux - General 1 10-09-2007 10:01 PM
LDAP Help Needed jantman Linux - Server 2 12-20-2006 07:23 PM
Samba + Ldap help needed MastaPuffy Linux - Software 5 12-11-2004 03:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration