[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slow ldapsearch when binddn is not root

On Thu, 24 Apr 2008, Alexandre Biancalana wrote:

# time ldapsearch -D uid=user,ou=Users,dc=mydomain,dc=com,dc=br -b
ou=Users,dc=mydomain,dc=com,dc=br  -W -x > /dev/null
Enter LDAP Password:
 101.71s real     0.59s user     0.11s system

# time ldapsearch -D cn=root,dc=tempopar,dc=com,dc=br -b
ou=Users,dc=mydomain,dc=com,dc=br  -W -x > /dev/null
Enter LDAP Password:
   3.13s real     0.53s user     0.08s system

Well, first off, are you always doing user first then root second? Is this reproducible, repeatedly, regardless of direction? (Rule out cache priming.)

[config'd with a lot of]
access to dn.regex="^(.*,)?ou=Computers,dc=mydomain,dc=com,dc=br$"

This is what I think your real issue is: you have a ton of regex ACLs, and I'm guessing you're linked against an inefficient regex library.

I'm not sure exactly what you're doing, but give some thought to:

access to dn.subtree="ou=Computers,dc=mydomain,dc=com,dc=br"