[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP performance tuning and scalability



>I finally got OpenLDAP authentication to work under RedHat Linux 7.2 
>(with all the updates)....  Unfortunately, during the auth process my

Congrats.

>cpu utilization goes through the roof on my dual PIII 933 test box
>(with 1Gb of RAM and 397 Gb of Diskspace - mostly on /home)...  I see 3
>slapd processes that utilize over 89% on one CPU and 79% on the other
>(combined) during the auth and then it calms down....  and the auth
>takes almost 15 seconds!

Ouch!

You may need to diddle with sysctl settings.  RH boxes (IMHO) don't
default to real server-like settings.  see -
ftp://kalamazoolinux.org/pub/pdf/PerfTune2001.pdf

Do you have an index on objectclass, uid, uidNumber, gidNumber, gid, and
host?

Try rebuilding your indexes with slapindex

I am growing a performance tuning section in my LDAP presentation -
ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf

>I can't have this....  I need to move away from a flat file user system 
>(I have 25K+ users right now) and move to a centralized auth that can
>handle the pop3, ftp, ssh, and postscript auth requests without killing
>the system.....  and OpenLDAP seems to be the only route to go to since
>there are a boatload of nice migration and maintenance/management
>utilities.  I've since removed OpenLDAP and installed IBM's SecureWay
>LDAP Server but it doesn't have the object classes and attributes built
>in that OpenLDAP does.....

Try increasing your dbcachesize?

Do you have the LDAP db in it's own filesystem?  If it is ext3 try
setting data=journal.  OpenLDAP fsync()s alot and that can REALLY help. 
Also try moving the journal to a driver other than the one the actual db
is on.

Set noatime on the db filesystem

>I used the RPM's to install OpenLDAP....  are there any tuning parameters 
>that I can use to speed things up a bit?  If I compile the source, are
>there any compile-time options that would help this out?  I really love
>OpenLDAP's simplicity of install and configuration - but I'm growing
>user accounts like crazy and I need to be able to authenticate a
>boatload of them simultaneously, constantly, and quickly without
>driving my processors into the red.

You need LOTS of simultaneous connections,  what is your "threads"
setting?

>Also, (as if this weren't enough), I was curious if there is anything out 
>there that could read in an existing LDAP directory and create home
>directories based on the users found.....  I don't want any entries
>created in /etc/passwd or /etc/group....  just the creation of the home

You want pam_mkhomedir