[Date Prev][Date Next]
Re: ldapi vs ldap
Hallvard B Furuseth wrote:
On Fri, 16 Mar 2012 22:07:36 +0200, Nick Milas<firstname.lastname@example.org>
we are replicating locally and applications connect using:
We are considering using ldapi://localhost instead.
ldapi://<URL-escaped socket filename>. See '-h' in man 8 slapd.
Would there be any performance / reliability pros/cons?
Should be pro, if there is a difference.
Performance: The knowledge that transmitted data was always in your
system's memory might drill deeper into caching/buffering policies.
There's also a hard limit of 32768 maximum concurrent connections using
localhost; with ldapi there is no such limit. (I have frequently run into the
connection limit doing soak tests. It's not just "concurrent" connections but
any opened within 2MSL of each other, which is typically at least 2 minutes.)
Reliability: I don't know of any difference.
Both are reliable transports. No difference. Of course, it's possible to
disable localhost (ifconfig lo0 down) (accidentally or not) and it's not
possible to disable ldapi.
Security: In addition to ordinary slapd ACLs, you can use filesystem
permissions to control access, and most systemss let you Bind with
SASL/EXTERNAL to get a Bind DN based on the client process' uid/gid.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/