I have a problem with Slapd and Alias dereferencing. In the ldap we have created a special subtree that allocate logical structure for our application. For this purpose we use the aliases. They allow us in one subtree have normal structure used by our internal services and for second subtree has a dedicate logical structure for special apps.
Currently we tested different version of ldap:
- 2.4.28 with HDB
- 2.4.31 with HDB and MBD
- 2.4.41 with mdb
- 2.4.42 with MDB <--- this version we are currently using
On all version the dereferencing aliases is works very fast when we have about 2000 aliases and about 200000 entries in the Database. When we add additional 2000 aliases each search with aliases dereferencing hangs for 3 second. When we add additional 2000 (so 6000 alieases in DB) the search time increase for next 3 seconds.
I.E. search time for filter objectclass=user with -a always for:
-2000 aliases in DB is about 0,031s
-4000 aliases in DB is about 3,031s
-6000 aliases in DB is about 6,123s
And this search time was increase even if we add additional 2000 aliases outside the search base dn. We observed that during this 3, 6 second hangs one CPU core is about 100%, system does not wait for resources, memory is on the same level.
In the log I saw that slapd very fast dereferencing all aliases in subtree, hang for 3,6,9 seconds depends of aliases count and after that I saw:
mdb_dn2entry("cn=.....")
Sep 4 14:53:50 ds1 slapd[4280]: => mdb_dn2id("cn=....")
Sep 4 14:53:50 ds1 slapd[4280]: <= mdb_dn2id: got id=0x231
Sep 4 14:53:50 ds1 slapd[4280]: => mdb_entry_decode:
Sep 4 14:53:50 ds1 slapd[4280]: <= mdb_entry_decode
Sep 4 14:53:50 ds1 slapd[4280]: => mdb_filter_candidates
Sep 4 14:53:50 ds1 slapd[4280]: #011OR
Sep 4 14:53:50 ds1 slapd[4280]: => mdb_list_candidates 0xa1
Sep 4 14:53:50 ds1 slapd[4280]: => mdb_filter_candidates
Sep 4 14:53:50 ds1 slapd[4280]: #011EQUALITY
Sep 4 14:53:50 ds1 slapd[4280]: => mdb_equality_candidates (objectClass)
Sep 4 14:53:50 ds1 slapd[4280]: => key_read
Sep 4 14:53:50 ds1 slapd[4280]: <= mdb_index_read: failed (-30798)
Sep 4 14:53:50 ds1 slapd[4280]: <= mdb_equality_candidates: id=0, first=0, last=0
Sep 4 14:53:50 ds1 slapd[4280]: <= mdb_filter_candidates: id=0 first=0 last=0
Sep 4 14:53:50 ds1 slapd[4280]: => mdb_filter_candidates
Sep 4 14:53:50 ds1 slapd[4280]: #011EQUALITY
Sep 4 14:53:50 ds1 slapd[4280]: => mdb_equality_candidates (objectClass)
Sep 4 14:53:50 ds1 slapd[4280]: => key_read
Sep 4 14:53:50 ds1 slapd[4280]: <= mdb_index_read 3585 candidates
Sep 4 14:53:50 ds1 slapd[4280]: <= mdb_equality_candidates: id=3585, first=18960, last=239706
Sep 4 14:53:50 ds1 slapd[4280]: <= mdb_filter_candidates: id=3585 first=18960 last=239706
Sep 4 14:53:50 ds1 slapd[4280]: <= mdb_list_candidates: id=3585 first=18960 last=239706
Sep 4 14:53:50 ds1 slapd[4280]: <= mdb_filter_candidates: id=3585 first=18960 last=239706
Sep 4 14:53:50 ds1 slapd[4280]: mdb_search_candidates: id=3585 first=18960 last=239706
Sep 4 14:53:50 ds1 slapd[4280]: => mdb_entry_decode:
Sep 4 14:53:50 ds1 slapd[4280]: <= mdb_entry_decode
Sep 4 14:53:50 ds1 slapd[4280]: => test_filter
Sep 4 14:53:50 ds1 slapd[4280]: EQUALITY
Sep 4 14:53:50 ds1 slapd[4280]: => access_allowed: search access to "cn......." "objectClass" requested
Sep 4 14:53:50 ds1 slapd[4280]: <= root access granted
After that ldap start return object that is also very fast. When the query was finished I saw in log this info:
Sep 4 14:53:50 ds1 slapd[4280]: mdb_search: 18985 scope not okay
Sep 4 14:53:50 ds1 slapd[4280]: mdb_search: 18986 scope not okay
All other query that not derf. aliases are processed very fast. Search time about 32k entries in subtree without aliases is about 0,526s.
Our server DB and indexing settings:
maxsize 10737418240
checkpoint 1024 10
sizelimit 100000
maxderefdepth 2
searchstack 10
index accountid eq
index objectClass eq
index cn eq
index id eq
index name eq
index entryCSN eq
index entryUUID eq
Do you have any idea how we can tune search with aliases?
Regards
Karol