[LDAP] Speeding up authentication using ldap - Linux

This is a discussion on [LDAP] Speeding up authentication using ldap - Linux ; I have some 100 servers using openldap for authentication, the servers are using various versions of RedHat (I don't think that is important but what the hell...) the problem is that after entering the password it takes about 30 seconds ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [LDAP] Speeding up authentication using ldap

  1. [LDAP] Speeding up authentication using ldap


    I have some 100 servers using openldap for authentication, the
    servers are using various versions of RedHat (I don't think that is
    important but what the hell...) the problem is that after entering the
    password it takes about 30 seconds before giving the prompt.

    After some digging and checking I find out that the problem is the
    retrieval of the groups to which the user belongs. The nss library
    run a search of the type

    (&(objectClass=posixGroup)(|(memberUid=usernamehere) (uniqueMember=theDNhere)))

    And this takes about 25 seconds to retrieve the groups. I noticed that if
    I use the non-RFC 2307 Bis query type

    (&(objectClass=posixGroup)(memberUid=usernamehere))

    it returns the same data but it takes only a fraction of a second.

    As far as I can see in the source codes of the ldap_nss library, the
    decision if to use 2307 Bis or not is done at compile time and can't be
    changed later without recompiling the whole lib. I haven't been able
    to find a way to circumvent this problem, tryed also to add the
    'uniqueMember' attribute to my ldap schema, but that didn't improved
    the performances.

    So, before I start the mammooth task of recompiling on all the servers...
    anyone has any idea of how to force it to use a shorten (or quicker)
    query?

    Davide

    --
    Windows 2000 will be released as soon as Windows 98 finishes loading.

  2. Re: [LDAP] Speeding up authentication using ldap

    Davide Bianchi wrote:
    > After some digging and checking I find out that the problem is the
    > retrieval of the groups to which the user belongs. The nss library
    > run a search of the type
    >
    > (&(objectClass=posixGroup)(|(memberUid=usernamehere) (uniqueMember=theDNhere)))
    >
    > And this takes about 25 seconds to retrieve the groups. I noticed that if
    > I use the non-RFC 2307 Bis query type
    >
    > (&(objectClass=posixGroup)(memberUid=usernamehere))
    >
    > it returns the same data but it takes only a fraction of a second.


    Sounds like you need an index on uniqueMember. Dunno. Ask an LDAP group
    (and send the relevant schema)... If I remember right, you can also turn
    on debugging during a search and you can watch what searches the
    database does that aren't indexed.

    - Mike Johnson

  3. Re: [LDAP] Speeding up authentication using ldap

    On 2006-05-20, Mike Johnson wrote:
    > Sounds like you need an index on uniqueMember.


    Done that, already, doesn't do anything, since we are not using
    'uniqueMember' in our schema.

    > Dunno. Ask an LDAP group


    Well... I'm not so sure that is an LDAP issue...
    Any suggestion about which one?

    Davide

    --
    He knows all about using Microsoft Word or Excell, and this makes him a
    skilled computer support person. (The fact that he should be accompanied
    everywhere by an escort of police motorcycles with sirens warbling
    "LUSERluserLUSERluserLUSER ..." notwithstanding.) --Charlie

+ Reply to Thread