[Date Prev][Date Next] [Chronological] [Thread] [Top]

slow ldapsearch when binddn is not root

To: openldap-software@openldap.org
Subject: slow ldapsearch when binddn is not root
From: "Alexandre Biancalana" <biancalana@gmail.com>
Date: Thu, 24 Apr 2008 10:48:38 -0300
Content-disposition: inline

Hi list!

 My master ldapserver is a FreeBSD 6.2-STABLE running OpenLDAP 2.3.38
the directory have ~ 5000 entries that are users from samba and qmail.

I experiencing a strange behavior with the search response time, here
are two searches, one done with root dn and another with a user dn.

# time ldapsearch -D uid=user,ou=Users,dc=mydomain,dc=com,dc=br -b
ou=Users,dc=mydomain,dc=com,dc=br  -W -x > /dev/null
Enter LDAP Password:
  101.71s real     0.59s user     0.11s system

# time ldapsearch -D cn=root,dc=tempopar,dc=com,dc=br -b
ou=Users,dc=mydomain,dc=com,dc=br  -W -x > /dev/null
Enter LDAP Password:
    3.13s real     0.53s user     0.08s system



Follow my slapd.conf:

#####################
# slapd.conf start
#

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/qmail.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

#loglevel       any
#loglevel       160

sizelimit       unlimited

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_hdb
moduleload      back_monitor
moduleload      smbk5pwd.so

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
limits dn.exact="cn=replicator,dc=mydomain,dc=com,dc=br"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
#limits dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited

access to attrs=sambaLogonTime
        by dn.exact="cn=logintimeupdator,dc=mydomain,dc=com,dc=br" write
        by * read

access to *
    by dn.exact="cn=replicator,dc=mydomain,dc=com,dc=br" read
    by dn.exact="cn=qmail-ldap,dc=mydomain,dc=com,dc=br" read
    by * none break

access to attrs=userPassword
        by self write
        by group.exact="cn=Sysadmins,dc=mydomain,dc=com,dc=br" write
        by * auth

access to attrs=shadowLastChange
        by group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write
        by self write
        by * read

access to dn.regex="^(.*,)?ou=Computers,dc=mydomain,dc=com,dc=br$"
        by  dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br" write
        by  * read

access to dn.regex="^(.*,)?ou=Domains,dc=mydomain,dc=com,dc=br$"
        by dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br" write
        by * read

access to dn.regex="^(.*,)?ou=Idmap,dc=mydomain,dc=com,dc=br$"
        by dn.exact="cn=sambaadmin,dc=mydomain,dc=com,dc=br" write
        by * read

access to dn.regex="^(.*,)?ou=Users,dc=mydomain,dc=com,dc=br$"
        by  group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write
        by self write
        by  * read

access to dn.regex="^(.*,)?ou=Groups,dc=mydomain,dc=com,dc=br$"
        by  group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write
        by self write
        by  * read

access to dn.regex="^(.*,)?cn=SysAdmins,dc=mydomain,dc=com,dc=br$"
        by  group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write

#access to dn.regex="^(.+,)?uid=([^,]+),ou=addressbook,associatedDomain=([^,]+),ou=domains,o=<basedn>$"
#access to dn.regex="^(.+,)?ou=Users,dc=mydomain,dc=com,dc=br$"
#       by  group.exact="cn=SysAdmins,ou=Groups,dc=mydomain,dc=com,dc=br" write
#       by  * read

access to *
        by group.exact="cn=SysAdmins,dc=mydomain,dc=com,dc=br" write
        by anonymous auth
        by * read


#######################################################################
#
# database definitions
#
#######################################################################

#
# access log
#
database hdb

suffix cn=log

cachesize       10000
checkpoint      128 5

rootdn          "cn=root,dc=mydomain,dc=com,dc=br"

directory       "/var/db/openldap/cn=log/data"

index reqStart eq
index reqDN    pres,eq
index reqAuthzID    pres,eq


#
# dc=mydomain,dc=com,dc=br
#

database        hdb

suffix          "dc=mydomain,dc=com,dc=br"

cachesize       10000
checkpoint      128 5

rootdn          "cn=root,dc=mydomain,dc=com,dc=br"

directory       /var/db/openldap/dc=mydomain/data

#
# Overlays
#
overlay smbk5pwd
smbk5pwd-enable samba

overlay accesslog
logdb cn=log
logops writes
logold (objectClass=posixAccount)
logpurge 30+00:00 1+00:00

overlay syncprov
syncprov-checkpoint 100 5
syncprov-sessionlog 200


# Indices to maintain
index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub
index entryCSN,entryUUID    eq
index mailAlternateAddress  pres,eq
index mail                  pres,eq


database monitor

#
# slapd.conf end
#####################

Can my acl slowing the search too much ?? How can I improve then ?

Any help is very appreciated

Best Regards,
Alexandre

Follow-Ups:
- Re: slow ldapsearch when binddn is not root
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

Prev by Date: Problems on " Mass Entry Import / Delete " under N-Way Multi-Master enviorment
Next by Date: Re: A question about log messages
Index(es):
- Chronological
- Thread