[Date Prev][Date Next] [Chronological] [Thread] [Top]

Solved issues: dismal performance, and I have no name

To: "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
Subject: Solved issues: dismal performance, and I have no name
From: Brian Jones <jonesy@CS.Princeton.EDU>
Date: Fri, 14 Feb 2003 12:02:22 -0500
User-agent: Microsoft-Entourage/10.1.0.2006

Hi all,

I want to thank everyone who fought over my issues :-)  First, I'll describe
the problems I've had up to this point (it's still early on in the migration
process to LDAP, by the way)...

1.  I finally got a shell server to look at our ldap directory for
authentication, but then when I would log in to the shell server (using
ssh), my prompt would say 'I have no name!@host', and a regular user could
not see usernames when running 'ls -l' - only numbers.

2.  Once I got passed problem 1, performance was completely and disgustingly
slow.  Running 'ls -l' in a directory containing about 15 subdirectories -
all owned by different people, took rougly 8-10 seconds!

My setup:  

Directory server:  I'm just testing right now, so I have an all stock RH 7.3
server - including the stock openldap rpmz.

SSH server:  A PC running rh 7.3 - also all stock.

I've changed as little as possible on these machines *on purpose*.  There's
no ssl yet, no crypted password even!  It's all stock.  The /etc/pam.d/sshd
file on the ssh server came straight outta the default file provided by the
nss package, which you can find somewhere under /usr/share/nss or something
like that.  

Problem 1 was a permissions issue solved by changing the acl's in my
/etc/openldap/slapd.conf file.  I actually copied my new acls right out of
the Dec. 2002 issue of LinuxJournal, and all's well.

access to attr=userPassword
        by self write
        by anonymous auth
        by dn="cn=Manager,o=example" write
        by * compare

access to *
        by self write
        by dn="cn=Manager,o=example" write
        by * read

Problem 2 was addressed in two ways.  The first was to run the Name Service
Caching Daemon (nscd) on all of the client machines that will use LDAP for
passwd and group lookups.  This did fix the performance issue, but I felt I
must be doing something wrong to have this dramatic performance travesty in
the first place.  I also didn't like depending on a third party daemon for
performance here.  I figured it should be fast by default, and nscd could
then be run as a sort of 'helper', which would hardly be missed if it
crashed or something, rather than the technology that makes LDAP acceptable
for use.

Do your homework on how the 'index' lines in slapd.conf work.  This
completely fixed my speed issues.  You'll also have to have a clue as to
what's actually being asked for when you do, for example, the above
mentioned 'ls -l'.   Here's the index section I came up with:

index default eq
index objectClass,uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,sub
index homeDirectory eq
index gecos eq,sub

And here's the old section I have commented out, which used to be
slooooooow.  I think I copied it from someone else's mailing to this list.

#index objectClass      pres,eq
#index uid              pres,eq,sub
#index uidNumber                pres,eq
#index gidNumber                pres,eq
#index  objectClass,uid,uidNumber,gidNumber,memberUid   eq
#index  cn,mail,surname,givenname                       eq,subinitial

Keep in mind I'm concentrating solely on users right now.  I haven't gotten
into crazy stuff like auto.master yet :-)

Well, I hope this is useful to somebody out there who might find this on
google :)

Brian.

Prev by Date: Re: userPassword: {crypt}
Next by Date: OpenLDAP2.1+Courier-IMAP
Index(es):
- Chronological
- Thread