[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_ldap slow

You can try a couple things, aside from adding the additional indices:

    - Try using the Berkely DB backend
    - Try using nscd, to cache replies

Also, I forget which scope == 2, but try a scope of BASE or ONE,
rather than what I think might be a SUB search....


Matthew Gregg wrote:

> I'm authenticating users from a RedHat 7.1 box against OpenLDAP 2.0
> It seems to be working ok, except for slowness during group membership
> validation.
> I'm only using the LDAP for passwd and group data.
> Running slapd in debug mode, this filter appears to be run for group validation/membership:
> conn=0 op=2 SRCH base="dc=musc,dc=edu" scope=2
> filter="(&(objectClass=posixGroup)(|(memberUid=root)
> (uniqueMember=uid=testuser,ou=People,dc=musc,dc=edu)))"
> The data in the LDAP was loaded using the migration scripts from PADL
> and do not contain a "uniqueMember" attribute, but instead have only
> "memberuid".
> My ldap.conf file on the RH client is configured to use the memberuid:
> # Group member attribute
> pam_member_attribute memberuid
> I've looked everywhere for a fix/answer and the closest I've come is this
> post on the PADL mailing list:
> http://lists.spack.org/archives/padl.com/0155.html
> I have the following indexes setup:
> index cn eq
> index sn eq
> index uid eq
> index uidNumber eq
> index gidNumber eq
> index memberUid eq
> index uniqueMember pres
> index objectclass eq
> I have approx. 20K users and groups in the LDAP, could my speed
> problem just be because of the number of group entries?
> Any help or ideas would be greatly appreciated.
> --
> brought to you by, Matthew Gregg...
> one of the friendly folks in the IT Lab.
> --------------------------------------\
> The IT Lab (http://www.itlab.musc.edu) \____________________
> Probably the world's premier software development center.
> Serving: Programming, Tools, Ice Cream, Seminars