[Date Prev][Date Next] [Chronological] [Thread] [Top]

Casual benchmarking OS performace with OpenLDAP



I'm in the process of trying to find the best OS platform on which to run
OpenLDAP as a backend for Heimdal and Samba, as well as a replacement for
NIS.

Currently, I have a machine with a 2.8GHz Xeon and a 140G drive which 
holds both Debian Linux (kernel 2.6.11) and Solaris 10 x86 .

Here is the pertinent server info:

    Linux:
        OpenLDAP 2.3.2beta  (gcc -O2)
        DB 4.2.52 w patches (Debian default)

    Solaris x86:
        OpenLDAP 2.3.2beta  (SUNWspro/cc -xO4)
        DB 4.2.52 w patches (SUNWspro/cc -xO4)


I'm using a simple test of running 10 ldapsearch processes like so:

    for i in 0 1 2 3 4 5 6 7 8 9 ; do
        time ldapsearch -H ldap://server.cise.ufl.edu -x > /dev/null &
    done

My client machine is a solaris x86 box with a couple of 2.8GHz Xeon
processors.

My LDAP database has 8421 records. Here are some sample entries of
ou=Users, ou=Groups, and ou=Netgroups:

    dn: uid=nobody,ou=Users,dc=test,dc=org
    cn: nobody
    sn: nobody
    objectClass: inetOrgPerson
    objectClass: sambaSamAccount
    objectClass: posixAccount
    gidNumber: 514
    uid: nobody
    uidNumber: 65534
    homeDirectory: /dev/null
    sambaPwdLastSet: 0
    sambaLogonTime: 0
    sambaLogoffTime: 2147483647
    sambaKickoffTime: 2147483647
    sambaPwdCanChange: 0
    sambaPwdMustChange: 2147483647
    sambaHomePath: \\server\nobody
    sambaHomeDrive: H:
    sambaProfilePath: \\server\profiles\nobody
    sambaSID: S-1-5-21-0000-0000-0000-501
    sambaPrimaryGroupSID: S-1-5-21-0000-0000-0000-514
    sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
    sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
    sambaAcctFlags: [NU         ]
    loginShell: /bin/false

    dn: cn=operator,ou=Groups,dc=test,dc=org
    objectClass: posixGroup
    objectClass: top
    objectClass: sambaGroupMapping
    cn: operator
    gidNumber: 10
    sambaSID: S-1-5-21-0000-0000-0000-200009
    sambaGroupType: 5
    memberUid: user1
    memberUid: user2
    memberUid: user3
    memberUid: user4
    memberUid: user5
    memberUid: user6
    memberUid: user7
    memberUid: user8
    memberUid: user9
    memberUid: user10
    
    dn: cn=operator,ou=Netgroups,dc=test,dc=org
    objectClass: top
    objectClass: nisNetgroup
    cn: operator
    nisNetgroupTriple: (-,user1,domain)
    nisNetgroupTriple: (-,user2,domain)
    nisNetgroupTriple: (-,user3,domain)
    nisNetgroupTriple: (-,user4,domain)
    nisNetgroupTriple: (-,user5,domain)
    nisNetgroupTriple: (-,user6,domain)
    nisNetgroupTriple: (-,user7,domain)
    nisNetgroupTriple: (-,user8,domain)
    nisNetgroupTriple: (-,user9,domain)
    nisNetgroupTriple: (-,user10,domain)

  [ I did make a minor modification to the nis.schema. The PADL nss_ldap module had
    trouble querying the netgroups unless I changed the nisNetgroupTriple definition
    from 

    attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
        DESC 'Netgroup triple'
        SYNTAX 1.3.6.1.1.1.0.0 )

    to

    attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
        EQUALITY caseExactIA5Match
        SUBSTR caseExactIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

  ]

Here's the slapd.conf I'm using:

    include             /usr/local/etc/openldap/schema/core.schema
    include             /usr/local/etc/openldap/schema/cosine.schema
    include             /usr/local/etc/openldap/schema/inetorgperson.schema
    include             /usr/local/etc/openldap/schema/misc.schema
    include             /usr/local/etc/openldap/schema/nis.schema
    include             /usr/local/etc/openldap/schema/samba.schema
    include             /usr/local/etc/openldap/schema/krb5-kdc.schema
    
    allow bind_v2
    allow bind_anon_cred
    allow bind_anon_dn
    allow update_anon
    
    pidfile         /var/run/slapd.pid
    database        bdb
    directory       /var/ldap/db
    modulepath      /usr/local/libexec/openldap
    lastmod         on
    cachesize       100000
    sizelimit       unlimited
    idlcachesize    300000
    threads         20
    
    suffix          dc=test,dc=org
    rootdn          cn=ldapadmin,dc=test,dc=org
    rootpw          XXXXXXXXXXXXXX
    
    sasl_host   server.cise.ufl.edu
    sasl_realm  CISE.UFL.EDU
    
    index objectclass               eq
    index cn                        pres,sub,eq
    index sn                        pres,sub,eq
    index uid                       pres,sub,eq
    index displayName               pres,sub,eq
    index uidNumber                 eq
    index gidNumber                 eq
    index memberUid                 eq
    index   sambaSID                eq
    index   sambaPrimaryGroupSID    eq
    index   sambaDomainName         eq
    index   default                 sub
    index   nisNetgroupTriple       pres,sub,eq
    index   memberNisNetgroup       pres,eq,sub
    index   krb5PrincipalName       pres,eq
    
    TLSCACertificateFile    /usr/local/lib/ssl/certs/-cacert.pem
    TLSCertificateKeyFile   /usr/local/lib/ssl/certs/server.cise.ufl.edu-key.pem
    TLSCertificateFile      /usr/local/lib/ssl/certs/server.cise.ufl.edu-cert.pem
    
    sasl-regexp "uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth"
            "cn=ldapadmin,dc=test,dc=org"
    
    sasl-regexp "uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth"
            "krb5PrincipalName=kadmin/admin@CISE.UFL.EDU"
    
    sasl-regexp
        "uid=(.+),cn=plain,cn=auth"
        "uid=$1,ou=Users,dc=test,dc=org"
    
    sasl-regexp
        "uid=(.+),cn=gssapi,cn=auth"
        "uid=$1,ou=Users,dc=test,dc=org"
    
    access to dn=""
      by * read
         
    access to dn.base=""
      by * read
    
    access to *
            by dn="cn=ldapadmin,dc=test,dc=org" write
            by self write
            by * read
            by anonymous auth
    
    access to attr=supportedSASLMechanisms,subschemaSubentry
      by anonymous read
      by * read

Also, here's the DB_CONFIG:

    set_cachesize   0       104857600       1
    set_lg_regionmax        1048576
    set_lg_max              10485760
    set_lg_bsize            2097152
    set_flags               DB_TXN_NOSYNC

Note this is still a test server, so these are not necessarily the final
forms of the slapd.conf/DB_CONFIG . 

My results with this setup are suprising. A run of the 10 ldapsearch 
requests at a time yield the following (20 server threads):

    Linux       :      10 ldapsearches on (objectClass=*)  :   ~3:15
    Sol10x86    :      10 ldapsearches on (objectClass=*)  :   ~0:06.5

So the queries that take over 3 minutes on Linux take less that 7 seconds
on Solaris x86. 

Here are results for changing the number of threads:

Linux:

    Threads     Shortest    Longest     Average
    -------------------------------------------
    8           2:07        3:19        2:34
    4           1:18        3:19        2:14
    2           (awful)

To my suprise, Solaris showed the same kinds of improvements with fewer threads,
bringing the shortest search time down to 2 1/2 seconds:

    Threads     Shortest    Longest     Average
    -------------------------------------------
    8           0:05.5      0:07        ~0:06
    4           0:02.5      0:06.7      ~0:04.6
    2           (didn't bother)

Ultimately, I'm interested in finding out why the Linux results are so 
much poorer -- I'm relatively new to OpenLDAP and want to make sure I'm 
not making any elementary mistakes before we go live with the new setup,
as it will be a Big Deal. 

Does anyone have any comments on this setup or these tests?

Thanks,

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh@cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------