[Date Prev][Date Next] [Chronological] [Thread] [Top]

Large Number of Transactions x Low performance

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Large Number of Transactions x Low performance
From: Alessandro Lasmar Mourao <alessandro.mourao@caixa.gov.br>
Date: Thu, 29 Jan 2015 19:49:29 +0000
Accept-language: pt-BR, en-US
Content-language: pt-BR
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=caixa.gov.br; i=postmaster@caixa.gov.br; l=6075; q=dns/txt; s=caixadkim; t=1422560981; x=1454096981; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; z=From:=20Alessandro=20Lasmar=20Mourao=20<alessandro.moura o@caixa.gov.br>|To:=20"openldap-technical@openldap.org" =20<openldap-technical@openldap.org>|Subject:=20Large=20N umber=20of=20Transactions=20x=20Low=20performance|Date: =20Thu,=2029=20Jan=202015=2019:49:29=20+0000|Message-ID: =20<28AB54FB485A754DA492D80E5C43E2635E71A99C@dfexchsd002. corp.caixa.gov.br>|Content-Transfer-Encoding:=20quoted-pr intable|MIME-Version:=201.0; bh=ahVBBdRCoBMfujCYHQow/1prWw22yTa/BVIAT3kPjIk=; b=u/D+Y6PeH4N/kIEnlHc5lDPRNpDm0u3whsc71XvqBVEPGEhK2GVLZLkQ DtmLPHjfLVQhOVKKQFK6fV3z7Rjlzg2oT1nQ/Tl/HqbNEXV6Tf1UexRk2 a87tkThEBucTJ/gGHCK5e91Wta26luOvPFsuH59yYRMqPYlcb9HkCoc1k DAFl95RIhr3VI24oeNHC+I5xiqZE0OnAJ1fGv+tIxjJD8hxq5bBmmG/Ea eAagJG/aXBglwQwPsF5Zmxpmeqf01WlY4qEeH+Aocf+u2E1d9WtVT2XbR ngJVB1EbYwLmiKVwI2jbDbuZWoQVvEFwcyK+2UsrsNzaBY2wCvk+Kndyi g==;
Thread-index: AdAw7OLRVRdv9BptQ5Omb6AS0pIyLAABqNfwAAFhlPACv68cIA==
Thread-topic: Large Number of Transactions x Low performance

Hi,

I work in a company that has 140,000 registered users in OpenLDAP. This OpenLDAP is used for authentication of our internal systems. In our tree of groups we have the systems and below the each system there are the groups' authorization (systems profiles). The user is bound in each group according to position, function and department in the company.
When a user replaces another user hierarchically higher, this user is taken from the respective group (that he belonged) and registered in user_group with the highest hierarchy.
This movement in the company is very common, and this is the cause of our problems.
We have a group with 50,000 registered users, and when we need to delete a user of that group or add a new one, OpenLADP takes up to 6 minute to effect the transaction.
We have a tool (BMC Identity Management (formerly Control-SA)) that automates the transactions, but due to delay in the transactions are with a row of 100,000 operations of insert / delete to perform.
I wonder if you have any way to improve the performance of OpenLDAP for these write operations.
The OpenLDAP version is 2.4.40.

Thanks,

Alessandro Lasmar Mourão

Below is our slapd.conf:

##############################################
serverID        2
idletimeout     0
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/ldap.schema
include         /etc/ldap/schema/ppolicy.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        256
modulepath      /usr/lib/ldap/
moduleload      back_mdb
moduleload      back_monitor
moduleload      memberof
moduleload      ppolicy
moduleload      syncprov
moduleload      refint
moduleload      accesslog
sizelimit       250
tool-threads    16
password-hash   {SSHA}
monitoring      true
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCertificateFile /etc/ssl/certs/servercrt.pem
TLSCertificateKeyFile /etc/ssl/certs/serverkey.pem
backend         mdb
database        config
rootdn          "cn=admin,cn=config"
rootpw          secret
monitoring      true
database        monitor
rootdn          "cn=admin,cn=monitor"
rootpw          secret
monitoring      true
database        mdb
suffix          "cn=accesslog"
rootdn          "cn=admin,cn=accesslog"
rootpw          secret
maxsize         1073741824
monitoring      true
directory       "/var/lib/ldap/intranet/log"
index           default               eq,pres,sub
index           entryCSN              eq,pres
index           objectClass,reqEnd    eq,pres
index           reqResult,reqStart    eq,pres
limits          dn.exact="uid=replication,ou=Users,o=company" size.soft=unlimited size.hard=unlimited time.soft=unlimited 	time.hard=unlimited
overlay         syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
access to *
       by dn.base="uid=replication,ou=Users,o=company" read
       by * break
database        mdb
suffix          "o=company"
rootdn          "cn=admin,o=company"
rootpw          secret
maxsize         4294967296
monitoring      true
overlay         ppolicy
ppolicy_use_lockout
ppolicy_hash_cleartext
ppolicy_default "cn=default,ou=policy,o=company"
overlay         memberof
memberof-group-oc groupOfUniqueNames
memberof-member-ad uniqueMember
memberof-refint true
overlay         refint
refint_attributes uniqueMember
overlay         accesslog
logdb           "cn=accesslog"
logops          writes
logsuccess      TRUE
logpurge        07+00:00 01+00:00
limits          dn.exact="uid=replication01,ou=Users,o=company" 	size.soft=unlimited size.hard=unlimited time.soft=unlimited 	time.hard=unlimited
limits          dn.exact="uid=replication02,ou=Users,o=company" 	size.soft=unlimited size.hard=unlimited time.soft=unlimited 	time.hard=unlimited
limits          dn.exact="uid=replication03,ou=Users,o=company" 	size.soft=unlimited size.hard=unlimited time.soft=unlimited 	time.hard=unlimited
limits          dn.exact="uid=replication04,ou=Users,o=company" 	size.soft=unlimited size.hard=unlimited time.soft=unlimited 	time.hard=unlimited
overlay         syncprov
syncprov-checkpoint 1000 20
syncprov-sessionlog 10000
syncrepl        rid=100
                provider=ldap://10.192.184.195:389
                searchbase="o=company"
                logbase="cn=accesslog"
                logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
                type=refreshAndPersist
                retry="60 +"
                scope=sub
                schemachecking=on
                bindmethod=simple
                binddn="uid=replication01,ou=Users,o=company"
                credentials=secret
mirrormode      true
directory       "/var/lib/ldap/intranet"
directory       "/var/lib/ldap/intranet"
index           objectClass           eq,pres
index           uniqueMember,memberof eq,pres
index           nu-cpf,nu-cnpj        eq,pres
index           dt-nascimento         pres
index           entryUUID,entryCSN    eq,pres
index           uid,ou,cn,sn,mail     eq,pres,sub
index           default,givenname     eq,pres,sub
lastmod         on
checkpoint      1024 10
access to attrs=userPassword,shadowLastChange
       by dn="cn=admin,o=company" write
       by dn.exact="uid=replica01,ou=Users,o=company" read
       by dn.exact="uid=replica02,ou=Users,o=company" read
       by dn.exact="uid=replica03,ou=Users,o=company" read
       by dn.exact="uid=replica04,ou=Users,o=company" read
       by anonymous auth
       by self write
       by * none
access to *
       by dn="cn=admin,o=company" write
       by * read

Follow-Ups:
- Re: Large Number of Transactions x Low performance
  - From: Michael Ströder <michael@stroeder.com>
- Re: Large Number of Transactions x Low performance
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

Prev by Date: Re: LMDB usage on windows - to much memory needed
Next by Date: I have added customized schema in ldap, and it is displaying under schema section (phpldapadmin), but how to make accounts on basis of that schema.
Index(es):
- Chronological
- Thread