[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapi vs ldap

Hallvard B Furuseth wrote:
  On Fri, 16 Mar 2012 22:07:36 +0200, Nick Milas<nick@eurobjects.com>
we are replicating locally and applications connect using:

We are considering using ldapi://localhost instead.

  ldapi://<URL-escaped socket filename>.  See '-h' in man 8 slapd.

Would there be any performance / reliability pros/cons?

  Should be pro, if there is a difference.

  Performance: The knowledge that transmitted data was always in your
  system's memory might drill deeper into caching/buffering policies.

There's also a hard limit of 32768 maximum concurrent connections using localhost; with ldapi there is no such limit. (I have frequently run into the connection limit doing soak tests. It's not just "concurrent" connections but any opened within 2MSL of each other, which is typically at least 2 minutes.)

  Reliability: I don't know of any difference.

Both are reliable transports. No difference. Of course, it's possible to disable localhost (ifconfig lo0 down) (accidentally or not) and it's not possible to disable ldapi.

  Security: In addition to ordinary slapd ACLs, you can use filesystem
  permissions to control access, and most systemss let you Bind with
  SASL/EXTERNAL to get a Bind DN based on the client process' uid/gid.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/