[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_ldap slow

To: Paul Jakma <paul@clubi.ie>
Subject: Re: pam_ldap slow
From: Matthew Gregg <greggmc@musc.edu>
Date: Fri, 11 May 2001 13:16:12 -0400
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <Pine.LNX.4.33.0105100359490.9260-100000@fogarty.jakma.org>; from paul@clubi.ie on Thu, May 10, 2001 at 04:02:21AM +0100
References: <20010509121343.A6262@musc.edu> <Pine.LNX.4.33.0105100359490.9260-100000@fogarty.jakma.org>
User-agent: Mutt/1.3.17i

Thanks for the tips, but I've tried them all and continue to have
performance problems.

Is it possible to change the filter that the group "lookup" uses?
As i said on my previous post the default filter that is being run for
group lookup is:
conn=0 op=2 SRCH base="dc=musc,dc=edu" scope=sub
filter="(&(objectClass=posixGroup)(|(memberUid=greggmc)
(uniqueMember=uid=greggmc,ou=People,dc=musc,dc=edu)))"

I've run this filter using ldapsearch and it's slow:
ldapsearch -H ldap://itlab.musc.edu -s sub -b "dc=musc,dc=edu" 
"(&(objectClass=posixGroup)(|(memberUid=greggmc)
(uniqueMember=uid=greggmc,ou=People,dc=musc,dc=edu)))"

but if i change the filter to this:
ldapsearch -H ldap://itlab.musc.edu -s sub -b "dc=musc,dc=edu"
"(&(objectClass=posixGroup)(|(memberUid=greggmc)
(memberUid=uid=greggmc,ou=People,dc=musc,dc=edu)))"

I get the same results, only very fast.

Does my problem lie with the "uniqueMember" attribute?  I do not have
that attrib. in my ldap.

Group entries look like this:
dn: cn=itlab,ou=groups,dc=musc,dc=edu
objectClass: posixGroup
objectClass: top
cn: itlab
userPassword: {crypt}*
gidNumber: 1389
memberUid: binzafar
memberUid: jonesje
memberUid: sprovero
memberUid: starmerf
memberUid: starmerj 


Thanks again.


On Thu, May 10, 2001 at 04:02:21AM +0100, Paul Jakma wrote:
> On Wed, 9 May 2001, Matthew Gregg wrote:
> 
> > Running slapd in debug mode, this filter appears to be run for group validation/membership:
> > conn=0 op=2 SRCH base="dc=musc,dc=edu" scope=2
> > filter="(&(objectClass=posixGroup)(|(memberUid=root)
> > (uniqueMember=uid=testuser,ou=People,dc=musc,dc=edu)))"
> 
> Hi Matthew,
> 
> on the client run nscd and configure it with reasonable positive
> cache times.  And on the server add an 'equal' index for
> attribute memberUid.
> 
> regards,

-- 
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars

Follow-Ups:
- RE: pam_ldap slow
  - From: "Tarjei Huse" <tarjei@nu.no>

References:
- pam_ldap slow
  - From: Matthew Gregg <greggmc@musc.edu>
- Re: pam_ldap slow
  - From: Paul Jakma <paul@clubi.ie>

Prev by Date: Re: about passwords
Next by Date: Client compile gets boatloads of error messages
Index(es):
- Chronological
- Thread