Re: LDAP Auth?

From: John Madden (weez@freelists.org)
Date: 08/05/02


From: John Madden <weez@freelists.org>
To: focus-linux@securityfocus.com
Date: Mon, 5 Aug 2002 00:12:56 -0500


> You're using OpenLDAP? I've come across some performance tests and
> statements from different people (sorry, I don't have any links), that
> led to the conclusion that OpenLDAP is really a poor performer.
> Improvements up to 1000x times the OpenLDAP speed where measured.
>
> I can't prove or comment on this, because I'm using OpenLDAP only for a
> base of about 30 users. But I've also tried the MySQL backend to
> OpenLDAP (pretty crude hack, had to fix some things before it worked)
> and as far as I can see, OpenLDAP will never fly with this backend.

I can - supporting 2500 linux users from openldap running on a separate
solaris box, the directory would get completely trashed from time to time
(like, say, when someone sends a company-wide email). Running nscd and
indexing every attribute ever retrieved has helped performance immensely,
but slapd still sits at a constant utilization of at least 5%.

I suggest you try running openldap itself on different platforms (Linux may
perform better than solaris, for example) and with different combinations
of indexing and caching. If you can find a way of providing a quicker
lookup locally (by, say, caching a copy of /etc/passwd, built from LDAP
every 15 minutes or so), you can take a lot of load off of the directory.

Running with a SQL backend, albeit something of a hack, ought to help
improve performance quite a bit: it would allow you to cluster and load
balance (think LVS) the directory servers -- that is, provided the backend
doesn't become a bottleneck.

OpenLDAP's multimaster setup would also appear to allow for easier
clustering. It's still marked as experimental though, and as I recently
found out on openldap-software, for good reason.

John

-- 
# John Madden  weez@freelists.org ICQ: 2EB9EA
# FreeLists, Free mailing lists for all: http://www.freelists.org
# UNIX Systems Engineer, Ivy Tech State College: http://www.ivytech.edu
# Linux, Apache, Perl and C: All the best things in life are free!



Relevant Pages