[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: PAM/LDAP performance problem

To: "'Stefan Brohs'" <sbrohs@iprimus0800.net>, openldap-software@OpenLDAP.org
Subject: RE: PAM/LDAP performance problem
From: Frédéric Aguiard <frederic.aguiard@swapcom.fr>
Date: Thu, 5 Jul 2001 17:52:20 +0200

If you increment slapd trace level (256 ?), I think you could check in the
logs what searches are made by pam, and verify it is only on indexed
attributes.

You should also check the memory size of slapd.
With 1.2.11, on FreeBSD, with a 30,000 entries tree, I noticed that searches
on non-indexed attributes were consuming a large amount of memory. It seemed
that there was a memory leak : slapd growed by 2-3 Mb with each search, and
never freed the memory. The workaround was to put correct indexes on the
right attributes.

Frederic.

> -----Message d'origine-----
> De : Stefan Brohs [mailto:sbrohs@iprimus0800.net]
> Envoyé : jeudi 5 juillet 2001 17:12
> À : openldap-software@OpenLDAP.org
> Objet : PAM/LDAP performance problem
> 
> 
> Hi all,
> 
> we are desperately trying to use PAM/LDAP as a *fast* authentication 
> method for FTP logins. After installing and configuring things were 
> working fine. But after adding 20000 user entries just for 
> testing (we 
> expect much more in the future) the response time (ftp login) raised 
> from 3 seconds (4000 entries) up to 23 seconds (20000 user 
> entries and 
> about 6000 group entries).
> 
> Both, user lookup and password lookup seem to search the whole LDAP 
> directory without using indexes (slapd takes 99% CPU for the time in 
> question), even though they exist on almost all attributes (cn, uid, 
> uidnumber, gid, gidnumber, etc.). Since ldapsearch is 
> answering within 
> fractions of a second and only ftp and shell login (and "id") 
> are very 
> slow we don't really have an idea what the problem could be. 
> Ain't PAM 
> using indexes?
> 
> Can anybody help? Thanks in advance.
> 
> ------------------------------------------------
> RedHat Linux 7.0 - 2.2.17-14smp #1 SMP
> openldap-1.2.11-15
> openldap-clients-1.2.11-15
> openldap-servers-1.2.11-15
> pam-0.72-37
> nss_ldap-122-1.7
> proftpd-core-1.2.0rc3-2
> proftpd-standalone-1.2.0rc3-2
> 
> slapd.conf:
> -----------
> index           cn,uid,gid,domain               pres,eq,approx,sub
> index           objectclass,homedirectory       pres,eq
> index           default                         none
> 
> ldap.conf:
> ----------
> pam_filter objectclass=posixaccount
> pam_login_attribute uid
> pam_member_attribute gid
> 
> User DN:
> --------
> uidnumber=20001, ou=machine, o=domain, c=de
> objectclass=users
> objectclass=posixAccount
> objectclass=account
> cn=U190567
> uid=U190567
> uidnumber=20001
> gid=G190567
> gidnumber=7335
> homedirectory=/home/U190567
> domain=test.com
> loginshell=/bin/bash
> userpassword={crypt}xxxxxxxxxxxx
> 
> Group DN:
> ---------
> gidnumber=7335, ou=machine, o=domain, c=de
> objectclass=posixGroup
> cn=G190567
> gid=G190567
> gidnumber=7335
> -------------------------------------------------------------
> 
> Best regards,
> 
> Stefan Brohs
>

Prev by Date: Re: PAM/LDAP performance problem
Next by Date: Re: PAM/LDAP performance problem
Index(es):
- Chronological
- Thread