[Date Prev][Date Next]
Re: Optimizing OpenLDAP pam authentication (it's very slow)
This is getting very frustrating.
I shut down slapd, deleted all files from the ldap db directory.
Re-migrated passwd and groups using the stock PADL scripts. then used
ldapadd to re-populate the ldap from the passwd and group ldifs.
Tried to login from a box using the ldap and it was still SLOW.
So I stopped slapd re-ran slapindex(fingers crossed), started slapd.
Again tried to login still SLOW.
Base LDAP entries look like this:
o: Medical University of South Carolina
dn: ou=People, dc=musc, dc=edu
dn: ou=Groups, dc=musc, dc=edu
Passwd entries look like this:
cn: Matthew C Gregg
gecos: Matthew C Gregg
Group entries look like this now:
My indices look like this:
index uid,cn,uidNumber,gidNumber,memberUid eq
index uniqueMember pres
index objectClass pres,eq
What gives folks? It still seems like the group lookup is running
Is anyone else on the list using OpenLDAP for pam authentication AND
has a large number of user and groups entries(10K+)?
On Thu, May 31, 2001 at 10:32:49AM -0600, Michael L Torrie wrote:
> Okay, my ldap server is running very quickly now. I'm using the following
> indexes (I have not modified how the groups are stored from the migrate
> index uid,cn,gidNumber,uidNumber,memberUid eq
> index objectClass pres,eq
> I then ran slapindex and restart ldap. Now when I ls -l all the user
> directories, they show up right away. Logging in via samba on a windows
> machine barely touches ldap at all right now. su'ing to a user is almost
> instant. I'm also running nscd. Those who are playing around with index
> settings, did you remember to run slapindex to generate the indexes? Once
> I did that, things are full speed now.
> Does this help Matthew?
> On Thu, 31 May 2001, Matthew Gregg wrote:
> > I've seen that and tried that. What that does is "and" your filter
> > with the default filter. How to change/override the default filter would be
> > the trick. Right?
> > On Thu, May 31, 2001 at 05:24:41PM +0200, GOMBAS Gabor wrote:
> > > On Thu, May 31, 2001 at 11:12:38AM -0400, Matthew Gregg wrote:
> > >
> > > > Also, the filter that is being run is coming from nsswitch/pam_ldap.
> > > > It's not something that I can configure, without some code changes.
> > >
> > > Yes you can. Look at the sample ldap.conf in the nss_ldap distribution
> > > (the nss_base_* parameters).
> > >
> > > Gabor
> > >
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars