Re: PAM/LDAP performance problem

[Stefan Brohs <sbrohs@iprimus0800.net>]

Alright, I was watching the following logs and discovered, that while 
looking for objectclass=posixaccount all entries (6000) were read. This 
took a long time, because I set the sizelimit parameter to 50000 before. 
I'm very sure, that this might be nonsense, but:

- why is PAM reading all group entries at all (and more than once)?
- and why does the login proceed when reducing the sizelimit (to 50) and 
the SRCH results in error??


[root@machine /root]# conn=136 fd=16 connection from unknown (127.0.0.1) 
accepted.
conn=136 op=0 BIND dn="" method=128
conn=136 op=0 RESULT err=0 tag=97 nentries=0
conn=136 op=1 SRCH base="OU=MACHINE,O=DOMAIN,C=DE" scope=2 
filter="(&(objectclass=POSIXACCOUNT)(uid=U190567))"
conn=136 op=1 RESULT err=0 tag=101 nentries=1
conn=136 op=2 SRCH base="OU=MACHINE,O=DOMAIN,C=DE" scope=2 
filter="(&(objectclass=POSIXGROUP)(gidnumber=7335))"
conn=136 op=2 RESULT err=0 tag=101 nentries=1
conn=136 op=3 SRCH base="OU=MACHINE,O=DOMAIN,C=DE" scope=2 
filter="(objectclass=POSIXGROUP)"
conn=136 op=3 RESULT err=4 tag=101 nentries=50
conn=136 op=4 SRCH base="OU=MACHINE,O=DOMAIN,C=DE" scope=2 
filter="(&(objectclass=POSIXACCOUNT)(uid=U190567))"
conn=136 op=4 RESULT err=0 tag=101 nentries=1
conn=136 op=5 SRCH base="OU=MACHINE,O=DOMAIN,C=DE" scope=2 
filter="(&(objectclass=POSIXGROUP)(gidnumber=7335))"
conn=136 op=5 RESULT err=0 tag=101 nentries=1
conn=136 op=6 SRCH base="OU=MACHINE,O=DOMAIN,C=DE" scope=2 
filter="(objectclass=POSIXGROUP)"
conn=136 op=6 RESULT err=4 tag=101 nentries=50
conn=136 op=7 SRCH base="OU=MACHINE,O=DOMAIN,C=DE" scope=2 
filter="(&(objectclass=POSIXACCOUNT)(uid=U190567))"
conn=136 op=7 RESULT err=0 tag=101 nentries=1
conn=136 op=8 SRCH base="OU=MACHINE,O=DOMAIN,C=DE" scope=2 
filter="(&(objectclass=POSIXGROUP)(gidnumber=7335))"
conn=136 op=8 RESULT err=0 tag=101 nentries=1
conn=136 op=9 SRCH base="OU=MACHINE,O=DOMAIN,C=DE" scope=2 
filter="(objectclass=POSIXGROUP)"
conn=136 op=9 RESULT err=4 tag=101 nentries=50
conn=136 op=10 SRCH base="OU=MACHINE,O=DOMAIN,C=DE" scope=2 
filter="(&(objectclass=POSIXACCOUNT)(uid=U190567))"
conn=136 op=10 RESULT err=0 tag=101 nentries=1
conn=136 op=11 SRCH base="OU=MACHINE,O=DOMAIN,C=DE" scope=2 
filter="(&(objectclass=POSIXGROUP)(gidnumber=7335))"
conn=136 op=11 RESULT err=0 tag=101 nentries=1
conn=136 op=12 SRCH base="OU=MACHINE,O=DOMAIN,C=DE" scope=2 
filter="(objectclass=POSIXGROUP)"
conn=136 op=12 RESULT err=4 tag=101 nentries=50
conn=136 op=13 SRCH base="OU=MACHINE,O=DOMAIN,C=DE" scope=2 
filter="(&(objectclass=POSIXACCOUNT)(uid=U190567))"
conn=136 op=13 RESULT err=0 tag=101 nentries=1
conn=136 op=14 SRCH base="OU=MACHINE,O=DOMAIN,C=DE" scope=2 
filter="(&(objectclass=POSIXGROUP)(gidnumber=7335))"
conn=136 op=14 RESULT err=0 tag=101 nentries=1
conn=136 op=15 UNBIND
...

Any further ideas??

Stefan

Todd Lyons wrote:

> begin  Stefan Brohs quotation:
>
> > Both, user lookup and password lookup seem to search the whole LDAP 
> > directory without using indexes (slapd takes 99% CPU for the time in 
> > question), even though they exist on almost all attributes (cn, uid, 
> > uidnumber, gid, gidnumber, etc.). Since ldapsearch is answering within 
>
>
> There's one item that it's looking for by attribute name and it's not
> finding it
>
> OR
>
> (this one got me bad), it's searching for some attribute  that has no 
> value assigned to it anywhere in the directory.  If no value is assigned
> anywhere in the directory, no index gets created for that attribute even 
> though you have an index defined in slapd.conf.
>
> Start slapd with a debug level -1 and you'll see exactly what it's
> searching for.  Shut down the server, modify the slapd.conf for the
> index, reindex the directory with slapindex (possibly having to do the 
> dummy record like I did above), and then restart the server.
>
> If it's more than that, I'll be learning myself.