[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Optimizing OpenLDAP pam authentication (it's very slow)

This is getting very frustrating.

I shut down slapd, deleted all files from the ldap db directory.
Re-migrated passwd and groups using the stock PADL scripts. then used
ldapadd to re-populate the ldap from the passwd and group ldifs.
Tried to login from a box using the ldap and it was still SLOW.
So I stopped slapd re-ran slapindex(fingers crossed), started slapd.
Again tried to login still SLOW.

Base LDAP entries look like this:
dn: dc=musc,dc=edu
objectClass: dcObject
objectClass: organization
o: Medical University of South Carolina
dc: musc

dn: cn=Manager,dc=musc,dc=edu
objectClass: organizationalRole
cn: Manager

dn: ou=People, dc=musc, dc=edu
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Groups, dc=musc, dc=edu
ou: Groups
objectClass: top
objectClass: organizationalUnit

Passwd entries look like this:
dn: uid=greggmc,ou=People,dc=musc,dc=edu
uid: greggmc
cn: Matthew C Gregg
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: <removed>
loginShell: /bin/csh
uidNumber: 4675
gidNumber: 4675
homeDirectory: /home/greggmc
gecos: Matthew C Gregg

Group entries look like this now:
dn: cn=itlab,ou=Groups,dc=musc,dc=edu
objectClass: posixGroup
objectClass: top
cn: itlab
userPassword: {crypt}*
gidNumber: 1389
memberUid: binzafar
memberUid: jonesje
memberUid: sprovero
memberUid: starmerf
memberUid: starmerj

My indices look like this:
index uid,cn,uidNumber,gidNumber,memberUid eq
index uniqueMember pres
index objectClass pres,eq

What gives folks?  It still seems like the group lookup is running

Is anyone else on the list using OpenLDAP for pam authentication AND
has a large number of user and groups entries(10K+)?

On Thu, May 31, 2001 at 10:32:49AM -0600, Michael L Torrie wrote:
> Okay, my ldap server is running very quickly now.  I'm using the following
> indexes (I have not modified how the groups are stored from the migrate
> script):
> index uid,cn,gidNumber,uidNumber,memberUid eq
> index objectClass pres,eq
> I then ran slapindex and restart ldap.  Now when I ls -l all the user
> directories, they show up right away.  Logging in via samba on a windows
> machine barely touches ldap at all right now.  su'ing to a user is almost
> instant.  I'm also running nscd.  Those who are playing around with index
> settings, did you remember to run slapindex to generate the indexes?  Once
> I did that, things are full speed now.
> Does this help Matthew?
> Michael
> On Thu, 31 May 2001, Matthew Gregg wrote:
> > I've seen that and tried that.  What that does is "and" your filter
> > with the default filter.  How to change/override the default filter would be
> > the trick. Right?
> >
> > On Thu, May 31, 2001 at 05:24:41PM +0200, GOMBAS Gabor wrote:
> > > On Thu, May 31, 2001 at 11:12:38AM -0400, Matthew Gregg wrote:
> > >
> > > > Also, the filter that is being run is coming from nsswitch/pam_ldap.
> > > > It's not something that I can configure, without some code changes.
> > >
> > > Yes you can. Look at the sample ldap.conf in the nss_ldap distribution
> > > (the nss_base_* parameters).
> > >
> > > Gabor
> > >
> >
> >

brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars