[Date Prev][Date Next] [Chronological] [Thread] [Top]

PAM/LDAP performance problem



Hi all,

we are desperately trying to use PAM/LDAP as a *fast* authentication method for FTP logins. After installing and configuring things were working fine. But after adding 20000 user entries just for testing (we expect much more in the future) the response time (ftp login) raised from 3 seconds (4000 entries) up to 23 seconds (20000 user entries and about 6000 group entries).

Both, user lookup and password lookup seem to search the whole LDAP directory without using indexes (slapd takes 99% CPU for the time in question), even though they exist on almost all attributes (cn, uid, uidnumber, gid, gidnumber, etc.). Since ldapsearch is answering within fractions of a second and only ftp and shell login (and "id") are very slow we don't really have an idea what the problem could be. Ain't PAM using indexes?

Can anybody help? Thanks in advance.

------------------------------------------------
RedHat Linux 7.0 - 2.2.17-14smp #1 SMP
openldap-1.2.11-15
openldap-clients-1.2.11-15
openldap-servers-1.2.11-15
pam-0.72-37
nss_ldap-122-1.7
proftpd-core-1.2.0rc3-2
proftpd-standalone-1.2.0rc3-2

slapd.conf:
-----------
index           cn,uid,gid,domain               pres,eq,approx,sub
index           objectclass,homedirectory       pres,eq
index           default                         none

ldap.conf:
----------
pam_filter objectclass=posixaccount
pam_login_attribute uid
pam_member_attribute gid

User DN:
--------
uidnumber=20001, ou=machine, o=domain, c=de
objectclass=users
objectclass=posixAccount
objectclass=account
cn=U190567
uid=U190567
uidnumber=20001
gid=G190567
gidnumber=7335
homedirectory=/home/U190567
domain=test.com
loginshell=/bin/bash
userpassword={crypt}xxxxxxxxxxxx

Group DN:
---------
gidnumber=7335, ou=machine, o=domain, c=de
objectclass=posixGroup
cn=G190567
gid=G190567
gidnumber=7335
-------------------------------------------------------------

Best regards,

Stefan Brohs