Re: Privileged connections in back-ldap/back-meta

[Howard Chu <hyc@symas.com>]

Pierangelo Masarati wrote:
> I'm facing the problem of having too many threads operating on the same 
> privileged connections in back-ldap/back-meta, which seems to cause poor 
> scalability.  This mainly occurs because we want all operations to be 
> performed as a privileged identity with proxyAuthz.  For this purpose I 
> plan to move privileged connections out of the connection AVL tree into 
> ldapinfo_t, so that we save a search in the tree, and keep multiple 
> instances of privileged connections in a LDAP_TAILQ structure of fixed 
> maximum length to use them round-robin.  Each type of privileged 
> connection uses a dedicated list, so in our case we basically keep two 
> lists: one for the privileged user and one for binds, which are now 
> serialized into one privileged connection since all subsequent 
> operations use proxyAuthz.  A prototype is being tested, which doesn't 
> work too bad (scalability did not dramatically improve yet, so there 
> might be other bottlenecks, but at least some repeatable transient hangs 
> disappeared).  Comments?

Sounds like that will work well. If the target server is an OpenLDAP 
server, it will limit the number of concurrently executing ops on a 
connection, which would definitely create a bottleneck using just one 
privileged connection. Likewise, distributing requests across multiple 
connections will reduce mutex contention in libldap_r, so that should 
also be a win.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/