[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with 35000 users

Hi Michael, thanks for you email and advice.
I received an email today from someone of the list, telling that he is using +150000 users on a LDAP database.
And suggest me to maintain the file indexed, because it can slow down my server.
I'm going to do some tests next friday, and let's see what happen =)


Michael L Torrie wrote:
I'm using ldap in conjunction with kerberos and samba to serve up 4000 accounts to windows and linux clients (about 250 computers in all). I can say at this point that no, openldap will not sacle up to 35000+ users. I'm sure postfix would work okay, but openldap is a weak link.

I've found that the database is quite easily corrupted, as there's no write-locking (at least that I can tell) on the database, so if you use pam_ldap to change passwords, there is a possibility for corruption. I use special scripts that feed into a serializing postgreSQL table to make sure that writes are only done by one process. I'm sure this can be remedied, but I haven't looked much into it. (You could use SQL as a backend for ldap, but there are some downsides to this.) I stop my openldap server (I only have one at the moment) and dump out the database in text ldif form every night for backup purposes. (CVS can work with this, but 35000 entries would be a challenge -- a binary backup of /var/ldap would be in order.)

I've also been having significant problems with openldap (I'm using 2.0.16 or 17) leaking file handles until it can't operate anymore. I solve this by restarting ldap several times a day. Definitely not what you'd want in your environment. I've not followed this list too closely; maybe it's been addressed and fixed by now. (The same problem existed in 1.2.x some time ago, I learned from google.com.)

I've not got ldap replication setup but I've heard it's problematic. You'd definitely need several servers for load-balancing (slapd can get quite demanding) and reliablility.

On the positive side, it's quite adequate for our mixed environment. It's no doubt at least as stable as microsoft's active directory! From the traffic on this list, it's clear that work is progressing and these problems will be worked out sooner or later.

That's my experience thus far.


Borges & Rinolfi Soluções em Redes Corporativas
Security Officer
Profissional Certificado Conectiva Linux
www.techs.com.br/kidmumu - UIN 4553082 - LC 83522