[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
PAM/LDAP performance problem
Hi all,
we are desperately trying to use PAM/LDAP as a *fast* authentication
method for FTP logins. After installing and configuring things were
working fine. But after adding 20000 user entries just for testing (we
expect much more in the future) the response time (ftp login) raised
from 3 seconds (4000 entries) up to 23 seconds (20000 user entries and
about 6000 group entries).
Both, user lookup and password lookup seem to search the whole LDAP
directory without using indexes (slapd takes 99% CPU for the time in
question), even though they exist on almost all attributes (cn, uid,
uidnumber, gid, gidnumber, etc.). Since ldapsearch is answering within
fractions of a second and only ftp and shell login (and "id") are very
slow we don't really have an idea what the problem could be. Ain't PAM
using indexes?
Can anybody help? Thanks in advance.
------------------------------------------------
RedHat Linux 7.0 - 2.2.17-14smp #1 SMP
openldap-1.2.11-15
openldap-clients-1.2.11-15
openldap-servers-1.2.11-15
pam-0.72-37
nss_ldap-122-1.7
proftpd-core-1.2.0rc3-2
proftpd-standalone-1.2.0rc3-2
slapd.conf:
-----------
index cn,uid,gid,domain pres,eq,approx,sub
index objectclass,homedirectory pres,eq
index default none
ldap.conf:
----------
pam_filter objectclass=posixaccount
pam_login_attribute uid
pam_member_attribute gid
User DN:
--------
uidnumber=20001, ou=machine, o=domain, c=de
objectclass=users
objectclass=posixAccount
objectclass=account
cn=U190567
uid=U190567
uidnumber=20001
gid=G190567
gidnumber=7335
homedirectory=/home/U190567
domain=test.com
loginshell=/bin/bash
userpassword={crypt}xxxxxxxxxxxx
Group DN:
---------
gidnumber=7335, ou=machine, o=domain, c=de
objectclass=posixGroup
cn=G190567
gid=G190567
gidnumber=7335
-------------------------------------------------------------
Best regards,
Stefan Brohs