[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
solaris8 openldap and iplanet4.1
We have openldap-2.1.21 running on solaris8. We're using Iplanet4.1 web server
as a front end to our application. It appears as if Iplanet upon
initial login as well as subsequent ACL Cache updates iterates through all
possible groups for the specific uid attempting to match them one by one. Even
under relatively light traffic it causes high CPU usage of slapd and inermitent
CPU spikes.
Is this a result of 'dynamic groups' or is there some index I'm missing?
Any help is appreciated.
-- the filters used for the search:
Sep 30 08:31:54 host slapd[28007]: conn=3 op=4 SRCH base="dc=tribuneinteractive,dc=com" scope=2 deref=0 filter="(|(&(objectClass=groupOfUniqueNames)(|(uniqueMember=uid=sfrancis,dc=tribuneinteractive,dc=com)))(&(objectClass=groupOfNames)(|(member=uid=sfrancis,dc=tribuneinteractive,dc=com))))"
Sep 30 08:31:54 host slapd[28007]: conn=3 op=4 SRCH attr=cn
Sep 30 08:31:54 host slapd[28007]: conn=3 op=4 SEARCH RESULT tag=101 err=0 nentries=2 text=
Sep 30 08:31:54 host slapd[28007]: conn=3 op=5 SRCH base="dc=tribuneinteractive,dc=com" scope=2 deref=0 filter="(&(cn=trb.tii.httpd.o2)(|(objectClass=groupOfUniqueNames)(objectClass=groupOfNames)(objectClass=groupofurls)(objectClass=groupofcertificates)))"
-- snippet from logfile:
>>> dnNormalize: <uid=bscott,dc=tribuneinteractive,dc=com>
=> ldap_bv2dn(uid=bscott,dc=tribuneinteractive,dc=com,0)
<= ldap_bv2dn(uid=bscott,dc=tribuneinteractive,dc=com,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=bscott,dc=tribuneinteractive,dc=com,272)=0
<<< dnNormalize: <uid=bscott,dc=tribuneinteractive,dc=com>
dnMatch -2
"uid=bscott,dc=tribuneinteractive,dc=com"
"uid=sfrancis,dc=tribuneinteractive,dc=com"
>>> dnNormalize: <uid=emoss,dc=tribuneinteractive,dc=com>
=> ldap_bv2dn(uid=emoss,dc=tribuneinteractive,dc=com,0)
<= ldap_bv2dn(uid=emoss,dc=tribuneinteractive,dc=com,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=emoss,dc=tribuneinteractive,dc=com,272)=0
<<< dnNormalize: <uid=emoss,dc=tribuneinteractive,dc=com>
dnMatch -3
"uid=emoss,dc=tribuneinteractive,dc=com"
"uid=sfrancis,dc=tribuneinteractive,dc=com"
.......
ldbm_search: candidate entry 447 does not match filter
-- slapd.conf
include /opt/apps/ldap/etc/openldap/schema/core.schema
include /opt/apps/ldap/etc/openldap/schema/cosine.schema
include /opt/apps/ldap/etc/openldap/schema/inetorgperson.schema
include /opt/apps/ldap/etc/openldap/schema/trbtii.schema
include /opt/apps/ldap/etc/openldap/schema/iplanet.schema
schemacheck on
sizelimit 5000
#loglevel 256
idletimeout 30
allow bind_v2
database ldbm
cachesize 1000
dbcachesize 200000
suffix "dc=tribuneinteractive, dc=com"
rootdn "cn=Manager, dc=tribuneinteractive, dc=com"
rootpw XXXXXXX
directory /opt/apps/ldap/var/oxygenpui
index default pres,eq,sub
index objectClass eq
index uid eq
index C
index cn
Thanks,
Stan Francis