Re: Optimizing OpenLDAP pam authentication (it's very slow)

[Matthew Gregg <greggmc@musc.edu>]

This is getting very frustrating.

I shut down slapd, deleted all files from the ldap db directory.
Re-migrated passwd and groups using the stock PADL scripts. then used
ldapadd to re-populate the ldap from the passwd and group ldifs.
Tried to login from a box using the ldap and it was still SLOW.
So I stopped slapd re-ran slapindex(fingers crossed), started slapd.
Again tried to login still SLOW.

Base LDAP entries look like this:
dn: dc=musc,dc=edu
objectClass: dcObject
objectClass: organization
o: Medical University of South Carolina
dc: musc

dn: cn=Manager,dc=musc,dc=edu
objectClass: organizationalRole
cn: Manager

dn: ou=People, dc=musc, dc=edu
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Groups, dc=musc, dc=edu
ou: Groups
objectClass: top
objectClass: organizationalUnit


Passwd entries look like this:
dn: uid=greggmc,ou=People,dc=musc,dc=edu
uid: greggmc
cn: Matthew C Gregg
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: <removed>
loginShell: /bin/csh
uidNumber: 4675
gidNumber: 4675
homeDirectory: /home/greggmc
gecos: Matthew C Gregg

Group entries look like this now:
dn: cn=itlab,ou=Groups,dc=musc,dc=edu
objectClass: posixGroup
objectClass: top
cn: itlab
userPassword: {crypt}*
gidNumber: 1389
memberUid: binzafar
memberUid: jonesje
memberUid: sprovero
memberUid: starmerf
memberUid: starmerj

My indices look like this:
index uid,cn,uidNumber,gidNumber,memberUid eq
index uniqueMember pres
index objectClass pres,eq

What gives folks?  It still seems like the group lookup is running
un-indexed.

Is anyone else on the list using OpenLDAP for pam authentication AND
has a large number of user and groups entries(10K+)?




On Thu, May 31, 2001 at 10:32:49AM -0600, Michael L Torrie wrote:
> Okay, my ldap server is running very quickly now.  I'm using the following
> indexes (I have not modified how the groups are stored from the migrate
> script):
> 
> index uid,cn,gidNumber,uidNumber,memberUid eq
> index objectClass pres,eq
> 
> I then ran slapindex and restart ldap.  Now when I ls -l all the user
> directories, they show up right away.  Logging in via samba on a windows
> machine barely touches ldap at all right now.  su'ing to a user is almost
> instant.  I'm also running nscd.  Those who are playing around with index
> settings, did you remember to run slapindex to generate the indexes?  Once
> I did that, things are full speed now.
> 
> Does this help Matthew?
> 
> Michael
> 
> On Thu, 31 May 2001, Matthew Gregg wrote:
> 
> > I've seen that and tried that.  What that does is "and" your filter
> > with the default filter.  How to change/override the default filter would be
> > the trick. Right?
> >
> > On Thu, May 31, 2001 at 05:24:41PM +0200, GOMBAS Gabor wrote:
> > > On Thu, May 31, 2001 at 11:12:38AM -0400, Matthew Gregg wrote:
> > >
> > > > Also, the filter that is being run is coming from nsswitch/pam_ldap.
> > > > It's not something that I can configure, without some code changes.
> > >
> > > Yes you can. Look at the sample ldap.conf in the nss_ldap distribution
> > > (the nss_base_* parameters).
> > >
> > > Gabor
> > >
> >
> >
> 

-- 
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars