[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Looking for proven version



Tuesday, October 21, 2003, 8:31:09 PM, Nathan wrote:

> Hopefully this is useful information.  Our problems sounded similar and so
> I thought I'd let you know what I was looking at.  If you figure more out,
> please let me know, and I'll do the same.

I still have a same problem and you're asking advise from me? :)
Anyway, these things what i've done and graetly reduce slapd cpu usage
(from 80 to 2/10 %).

1. Avoid binding whenever possible. In /etc/ldap.conf i've to bind
with proxy-user for some reason and it make slapd crazy.

2. Remove all ACL, but secure your ldap using iptables.

3. Whenever possible, configure your apps to query ldap directly, not
trhough PAM. user ip address instead of fqdn and no tls/ssl.default to use bind_v3 if possible.

4. Use unix socket for local query if possible (though i'm not very
sure about how stable it is, but reduce the number of tcp CLOSE_WAIT
state).

5. Simplified query in each application and index all necessary
attribute. avoid unecessary queries to ldap (such as system user that
are already in passwd).
I've use maildrop for LDA and it queries all "trusted" ccaount to ldap
(ie. mmdf, postfix, postmaster etc).

6. Compile OL without enabling tcpwrappers (because it will look for
/etc/hosts.deny/allow for every request, cmiiw). I've got "too many
open file error" before.

7. use nscd -- actualy in my case the nscd did not help, it still
queries ldap even i already query same id many times. i don't use it
but ymmv.






--beast