Re: ldapsearch is too slow after I deleted an entry

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Thursday, February 07, 2008 10:09 AM +0200 Amir Saad 
<eng__amir@hotmail.com> wrote:

> I setup OpenLDAP & MIT Kerberos successfully. I created a self-signed
> certificate for OpenLDAP and I configured the server to work only on
> ldaps. I migrated all existing users and groups to OpenLDAP. Everything
> was working just perfect till I added a new group object using ldapadd
> and then deleted it using ldapdelete, since then ldapsearch takes very
> long time to complete. It returns the correct results but after very long
> time. I tried ldapsearch -d8 to see what is going on and here are the
> errors I got:
> TLS certificate verification: Error, self signed certificate
> TLS certificate verification: depth: 0, err: 18, subject: [SOME
> INFORMATION HERE]
> TLS trace: SSL_connect:SSLv3 read server certificate A
> TLS trace: SSL_connect:SSLv3 read server done A
> TLS trace: SSL_connect:SSLv3 write client key exchange A
> TLS trace: SSL_connect:SSLv3 write change cipher spec A
> TLS trace: SSL_connect:SSLv3 write finished A
> TLS trace: SSL_connect:SSLv3 flush data
> TL! S trace: SSL_connect:SSLv3 read finished A
> TLS trace: SSL3 alert write:warning:bad certificate
> TLS: unable to get peer certificate.
>
> Do you think the delay is related to the above? What is wrong with
> OpenLDAP? I did not touch any configuration, only ldapadd and ldapdelete!
> This piece of software is very unstable :( Please help.

What version of OpenLDAP?  What database backend?  Have you actually tuned 
it correclty?  Added indices for the searches you use? etc.  I've found 
OpenLDAP to be both (a) extremely fast and (b) extremely stable.

And yes, you need to fix your cert configuration.  It looks like you 
created an invalid cert.

--Quanah



--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration