[Date Prev][Date Next] [Chronological] [Thread] [Top]

Reverse Lookup slowing down LDAP bind?


    I've recently set up a two server ldap master -> slave "pair",
running Openldap 2.0.7 ...

I've been noticing that on the first few binds to the ldap server
(either one), it takes quite a long time (like in the realm of 30
seconds) to bind and then the query speeds along, nice and fast...

Once I've done a few binds, the binding process takes a fraction of a

I've since compiled version 2.0.8, it behaves in the same way.

I read a post that recommended shutting off reverse lookups with
"--enable-rlookups=no" (which seemed to be the default according to
"./configure --help" anyways), but that didn't change anything.

I read a post in the mailing list archives, and someone that claimed
that they've determined the cause of the significant slowdown:

*Then*, I checked my dnscache logs (I'm using djbdns), and noticed
that whenever a new bind was attempted, there was a lookup from the
ldap server being connected to, to the dns server(s) listed in the
ldap server's /etc/resolv.conf ....

Dnscache log entry:
@400000003b015ecf1330605c servfail
input/output error
@400000003b015ecf1331f69c sent 37663 40

I changed it from our djbdns servers to some other dns servers
(probably running bind) and now logins are very fast...!

Now although the problem is fixed/bandaided, there's two issues:

1) Why didn't the query from openldap2 -> dnscache work?

2) Why is the lookup even happening?  Shouldn't "--enable-rlookups=no"
stop this from happening at all?

Thanks for any help in advance :),

Eric Parusel
Systems Administrator
Global Relay