[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Strange aliases behavior



Unfortunately -a search for the query take the same amount of time and find return different result to always and search option. I know that our structure is problematic and understand that ldap need to dereferencing aliases. I try to understand why when you have up to 2000 aliases in DB queries are very fast, almost instant  but when you have more aliases in DB slapd take 100% of one core (probably one thread) and count something. 



Karol Chrapek | Infrastructure Architect

Infrastructure Division

mobile: +48 660 623 422




2015-09-16 23:43 GMT+02:00 Quanah Gibson-Mount <quanah@zimbra.com>:



On Sep 16, 2015, at 1:47 PM, Karol Chrapek <kchrapek@fgtsa.com> wrote:

I have a problem with Slapd and Alias dereferencing. In the ldap we have created a special subtree that allocate logical structure for our application. For this purpose we use the aliases. They allow us in one subtree have normal structure used by our internal services and for second subtree has a dedicate logical structure for special apps.
Currently we tested different version of ldap: 
- 2.4.28 with HDB
- 2.4.31 with HDB and MBD 
- 2.4.41 with mdb
- 2.4.42 with MDB <--- this version we are currently using

On all version the dereferencing aliases is works very fast when we have about 2000 aliases and about 200000 entries in the Database. When we add additional 2000 aliases each search with aliases dereferencing hangs for 3 second. When we add additional 2000 (so 6000 alieases in DB) the search time increase for next 3 seconds.
I.E. search time for filter objectclass=user with -a always for:
-2000 aliases in DB is about  0,031s
-4000 aliases in DB is about 3,031s
-6000 aliases in DB is about 6,123s 
And this search time was increase even if we add additional 2000 aliases outside the search base dn. We observed that during this 3, 6 second hangs one CPU core is about 100%, system does not wait for resources, memory is on the same level. 
In the log I saw that slapd very fast dereferencing all aliases in subtree, hang for 3,6,9 seconds depends of aliases count and after that I saw: 

 mdb_dn2entry("cn=.....")
Sep  4 14:53:50 ds1 slapd[4280]: => mdb_dn2id("cn=....")
Sep  4 14:53:50 ds1 slapd[4280]: <= mdb_dn2id: got id=0x231
Sep  4 14:53:50 ds1 slapd[4280]: => mdb_entry_decode:
Sep  4 14:53:50 ds1 slapd[4280]: <= mdb_entry_decode
Sep  4 14:53:50 ds1 slapd[4280]: => mdb_filter_candidates
Sep  4 14:53:50 ds1 slapd[4280]: #011OR
Sep  4 14:53:50 ds1 slapd[4280]: => mdb_list_candidates 0xa1
Sep  4 14:53:50 ds1 slapd[4280]: => mdb_filter_candidates
Sep  4 14:53:50 ds1 slapd[4280]: #011EQUALITY
Sep  4 14:53:50 ds1 slapd[4280]: => mdb_equality_candidates (objectClass)
Sep  4 14:53:50 ds1 slapd[4280]: => key_read
Sep  4 14:53:50 ds1 slapd[4280]: <= mdb_index_read: failed (-30798)
Sep  4 14:53:50 ds1 slapd[4280]: <= mdb_equality_candidates: id=0, first=0, last=0
Sep  4 14:53:50 ds1 slapd[4280]: <= mdb_filter_candidates: id=0 first=0 last=0
Sep  4 14:53:50 ds1 slapd[4280]: => mdb_filter_candidates
Sep  4 14:53:50 ds1 slapd[4280]: #011EQUALITY
Sep  4 14:53:50 ds1 slapd[4280]: => mdb_equality_candidates (objectClass)
Sep  4 14:53:50 ds1 slapd[4280]: => key_read
Sep  4 14:53:50 ds1 slapd[4280]: <= mdb_index_read 3585 candidates
Sep  4 14:53:50 ds1 slapd[4280]: <= mdb_equality_candidates: id=3585, first=18960, last=239706
Sep  4 14:53:50 ds1 slapd[4280]: <= mdb_filter_candidates: id=3585 first=18960 last=239706
Sep  4 14:53:50 ds1 slapd[4280]: <= mdb_list_candidates: id=3585 first=18960 last=239706
Sep  4 14:53:50 ds1 slapd[4280]: <= mdb_filter_candidates: id=3585 first=18960 last=239706
Sep  4 14:53:50 ds1 slapd[4280]: mdb_search_candidates: id=3585 first=18960 last=239706
Sep  4 14:53:50 ds1 slapd[4280]: => mdb_entry_decode:
Sep  4 14:53:50 ds1 slapd[4280]: <= mdb_entry_decode
Sep  4 14:53:50 ds1 slapd[4280]: => test_filter
Sep  4 14:53:50 ds1 slapd[4280]:     EQUALITY
Sep  4 14:53:50 ds1 slapd[4280]: => access_allowed: search access to "cn......." "objectClass" requested
Sep  4 14:53:50 ds1 slapd[4280]: <= root access granted

After that ldap start return object that is also very fast. When the query was finished I saw in log this info:


Sep  4 14:53:50 ds1 slapd[4280]: mdb_search: 18985 scope not okay

Sep  4 14:53:50 ds1 slapd[4280]: mdb_search: 18986 scope not okay


All other query that not derf. aliases are processed very fast. Search time about 32k entries in subtree without aliases is about 0,526s.

Our server DB and indexing settings: 

maxsize 10737418240
checkpoint 1024 10
sizelimit 100000

maxderefdepth 2
searchstack 10

index accountid eq
index objectClass eq
index cn eq
index id eq
index name eq
index entryCSN eq
index entryUUID eq

Do you have any idea how we can tune search with aliases? 
Regards 
Karol

My guess would be you are doing "always" for dereferencing. Try "search" or "find" and see if either of those meets your requirements and performs better. Using "always" is known to have this effect. 

--Quanah