Re: LDAP Auth?
From: John Madden (weez@freelists.org)Date: 08/05/02
- Next in thread: Steven J. Sobol: "Re: LDAP Auth?"
- Reply: Steven J. Sobol: "Re: LDAP Auth?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: John Madden <weez@freelists.org> To: focus-linux@securityfocus.com Date: Mon, 5 Aug 2002 00:12:56 -0500
> You're using OpenLDAP? I've come across some performance tests and
> statements from different people (sorry, I don't have any links), that
> led to the conclusion that OpenLDAP is really a poor performer.
> Improvements up to 1000x times the OpenLDAP speed where measured.
>
> I can't prove or comment on this, because I'm using OpenLDAP only for a
> base of about 30 users. But I've also tried the MySQL backend to
> OpenLDAP (pretty crude hack, had to fix some things before it worked)
> and as far as I can see, OpenLDAP will never fly with this backend.
I can - supporting 2500 linux users from openldap running on a separate
solaris box, the directory would get completely trashed from time to time
(like, say, when someone sends a company-wide email). Running nscd and
indexing every attribute ever retrieved has helped performance immensely,
but slapd still sits at a constant utilization of at least 5%.
I suggest you try running openldap itself on different platforms (Linux may
perform better than solaris, for example) and with different combinations
of indexing and caching. If you can find a way of providing a quicker
lookup locally (by, say, caching a copy of /etc/passwd, built from LDAP
every 15 minutes or so), you can take a lot of load off of the directory.
Running with a SQL backend, albeit something of a hack, ought to help
improve performance quite a bit: it would allow you to cluster and load
balance (think LVS) the directory servers -- that is, provided the backend
doesn't become a bottleneck.
OpenLDAP's multimaster setup would also appear to allow for easier
clustering. It's still marked as experimental though, and as I recently
found out on openldap-software, for good reason.
John
-- # John Madden weez@freelists.org ICQ: 2EB9EA # FreeLists, Free mailing lists for all: http://www.freelists.org # UNIX Systems Engineer, Ivy Tech State College: http://www.ivytech.edu # Linux, Apache, Perl and C: All the best things in life are free!
- Next in thread: Steven J. Sobol: "Re: LDAP Auth?"
- Reply: Steven J. Sobol: "Re: LDAP Auth?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
