[Date Prev][Date Next]
RE: openldap is dog-slow???
You have a couple of options here. First of all, returning 7000 entries
is a very large result set. I consider this type of entry to be
administrative, which for my purposes can suffer the 30 second delay.
Even then, I can't think of why you'd request all of the entries very
Of course, I can't speak for your operating environment, but in my
research, i've found that about 20% of the number of users are actually
contstantly active. Tuning openldap's entry cache and index cache can
seriously affect performance. Personally, I allow every entry and all of
the indexes in my ldbm to be cached by slapd (about 30,000 entries).
Obviously this makes for a pretty hefty memory footprint, but I have
servers dedicated to ldap.
As for the updates, I consider them to be irrelavent. OpenLDAP is not a
relational database. It's optimized for reads. Updates are totally
administrative. When you perform an update, it is flushed to disk before
returning unless you have the dbnosync option enabled in the config. You
can find info on this option in the man pages. Read about the
ramifications of using this before enabling.
On a relatively low-end sun ultrasparc (AXi 440mhz), i service email and
radius for over 80,000 users. on two ldap servers, and the slapd is never
using more than 10% of the CPU under normal circumstances (ie, i'm not
performing a massive update).
If you never plan on having more than 200,000 user entries in your
directory, then iPlanet works very well. Solaris8 comes with a 200k user
license (solaris is a free download, or 100 bucks for the cd). Otherwise,
it's about $1 USD per user. NDS (novell directory server) is about $2 USD
per user. Oracle is not a per-user pricing structure, but you're looking
at about 10,000 dollars at minimum for OID (oracle internet directory).
Given those options, I wasn't about to spend that cash. I'd rather spend
another 5,000 dollars on an additional server to add behind a load
balancer than to spend that much money on software. iPlanet is very fast.
I think igor brezac (on this list) did some testing and it turned out to
be about 3 times faster or so (isn't that what you said igor?).
That's basically the summary of the research i did when choosing an LDAP
any other questions?
On Wed, 22 Aug 2001, Larry Weidig wrote:
> We are seeing poor performance at this point, but looking for
> suggestions/ideas to improve things. It takes the OpenLDAP server about
> 26-30 seconds to return a search of (objectClass=posixAccount) on a 7,000
> account server. We have the OpenLDAP 2.0.11 server running on a RedHat 7.1
> server, nss_ldap-149-4 and the latest RPM updates from RedHat. This is a
> PIII-550 with 512MB of RAM, mirrored drives and only a couple of developers
> using it at once. The load average is well below 0.2 most of the time. We
> have tried using db3 and gdbm backend databases for storage and did not
> really see any difference in either. We do have objectClass indexed so that
> is not the issue.
> * Larry A. Weidig (email@example.com)
> * Excel.Net,Inc. - http://www.excel.net/
> * (920) 452-0455 - Sheboygan/Plymouth area
> * (888) 489-9995 - Other areas, toll-free
> > -----Original Message-----
> > From: M. Yu [mailto:firstname.lastname@example.org]
> > Sent: Wednesday, August 22, 2001 4:49 AM
> > To: openldap-software@OpenLDAP.org
> > Subject: openldap is dog-slow???
> > Hey list,
> > I'm about to deploy OpenLDAP for centralized user
> > authentications. I had
> > second thoughts though when I read this post (see bottom) in
> > another list.
> > How true is this and are there any benchmarks available?
> > M. Yu
> > ============
> > I'm planning to use LDAP for UNIX user authentication through
> > RFC2307. I
> > recall reading a NetworkWorldFusion article where they stated that
> > OpenLDAP is dog-slow..
> > They were not kidding!! updating the posixAccount hierarchy
> > (analogous to
> > /etc/passwd) takes about 0.46 seconds PER ENTRY!! that's
> > horribly slow!!
> > Querying takes about 0.04 seconds (23 queries per second
> > maximum) which is
> > still very slow! there's no way I can deploy this in a production
> > environment with my user load!!
> > Hmmm.. anyone tried the iPlanet LDAP server?