[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Optimizing OpenLDAP pam authentication (it's very slow)
This is getting very frustrating.
I shut down slapd, deleted all files from the ldap db directory.
Re-migrated passwd and groups using the stock PADL scripts. then used
ldapadd to re-populate the ldap from the passwd and group ldifs.
Tried to login from a box using the ldap and it was still SLOW.
So I stopped slapd re-ran slapindex(fingers crossed), started slapd.
Again tried to login still SLOW.
Base LDAP entries look like this:
dn: dc=musc,dc=edu
objectClass: dcObject
objectClass: organization
o: Medical University of South Carolina
dc: musc
dn: cn=Manager,dc=musc,dc=edu
objectClass: organizationalRole
cn: Manager
dn: ou=People, dc=musc, dc=edu
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Groups, dc=musc, dc=edu
ou: Groups
objectClass: top
objectClass: organizationalUnit
Passwd entries look like this:
dn: uid=greggmc,ou=People,dc=musc,dc=edu
uid: greggmc
cn: Matthew C Gregg
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: <removed>
loginShell: /bin/csh
uidNumber: 4675
gidNumber: 4675
homeDirectory: /home/greggmc
gecos: Matthew C Gregg
Group entries look like this now:
dn: cn=itlab,ou=Groups,dc=musc,dc=edu
objectClass: posixGroup
objectClass: top
cn: itlab
userPassword: {crypt}*
gidNumber: 1389
memberUid: binzafar
memberUid: jonesje
memberUid: sprovero
memberUid: starmerf
memberUid: starmerj
My indices look like this:
index uid,cn,uidNumber,gidNumber,memberUid eq
index uniqueMember pres
index objectClass pres,eq
What gives folks? It still seems like the group lookup is running
un-indexed.
Is anyone else on the list using OpenLDAP for pam authentication AND
has a large number of user and groups entries(10K+)?
On Thu, May 31, 2001 at 10:32:49AM -0600, Michael L Torrie wrote:
> Okay, my ldap server is running very quickly now. I'm using the following
> indexes (I have not modified how the groups are stored from the migrate
> script):
>
> index uid,cn,gidNumber,uidNumber,memberUid eq
> index objectClass pres,eq
>
> I then ran slapindex and restart ldap. Now when I ls -l all the user
> directories, they show up right away. Logging in via samba on a windows
> machine barely touches ldap at all right now. su'ing to a user is almost
> instant. I'm also running nscd. Those who are playing around with index
> settings, did you remember to run slapindex to generate the indexes? Once
> I did that, things are full speed now.
>
> Does this help Matthew?
>
> Michael
>
> On Thu, 31 May 2001, Matthew Gregg wrote:
>
> > I've seen that and tried that. What that does is "and" your filter
> > with the default filter. How to change/override the default filter would be
> > the trick. Right?
> >
> > On Thu, May 31, 2001 at 05:24:41PM +0200, GOMBAS Gabor wrote:
> > > On Thu, May 31, 2001 at 11:12:38AM -0400, Matthew Gregg wrote:
> > >
> > > > Also, the filter that is being run is coming from nsswitch/pam_ldap.
> > > > It's not something that I can configure, without some code changes.
> > >
> > > Yes you can. Look at the sample ldap.conf in the nss_ldap distribution
> > > (the nss_base_* parameters).
> > >
> > > Gabor
> > >
> >
> >
>
--
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars