lists.arthurdejong.org
RSS feed

Problems with excessive LDAP CPU usage.

[Date Prev][Date Next] [Thread Prev][Thread Next]

Problems with excessive LDAP CPU usage.



We have a problem with our LDAP server (Oracle DSEE version 6.3). We are seeing 
CPU usage that appears to be related to nss-pam-ldapd (version 0.8.6 on RHEL).

We are seeing searches like:

SRCH base="ou=people,dc=ku,dc=edu" scope=2 filter="(objectClass=posixAccount)" 
attrs="loginShell cn gidNumber uidNumber objectClass homeDirectory uid"
SRCH base="ou=people,dc=ku,dc=edu" scope=2 filter="(objectClass=posixAccount)" 
attrs="loginShell cn gidNumber uidNumber objectClass homeDirectory uid"

They appear to happen every 5 minutes.  We tracked them down to nslcd, and 
verified that was the origin by changing the "filter passwd" entry in the 
nslcd.conf file, which caused the search to use the new filter:

SRCH base="ou=people,dc=ku,dc=edu" scope=1 
filter="(isMemberOf=cn=authorized-users,...dc=ku,dc=edu)" attrs="loginShell cn 
gidNumber uidNumber objectClass homeDirectory uid"
SRCH base="ou=people,dc=ku,dc=edu" scope=1 
filter="(isMemberOf=cn=authorized-users,...dc=ku,dc=edu)" attrs="loginShell cn 
gidNumber uidNumber objectClass homeDirectory uid"

The problem is that we have about 300,000 users with objectclass=posixaccount, 
so the above search is taking almost 5 minutes to complete, and the one CPU is 
maxed out on the LDAP server during that period.

Normally only about 4,000 users are allowed to log in to that server, based on 
membership in an LDAP group, but changing to:

filter passwd 
(isMemberOf=cn=authorized-users,ou=people.ku.edu,ou=Pam-LDAP,ou=automatic,ou=groups,dc=ku,dc=edu)

doesn't help, because isMemberOf is calculated on the fly, and still takes 
several minutes for the search, with the CPU busy. 

My questions are:

1. Is there some way to specify that passwd entries need to be a member of a 
particular group other than using isMemberOf?
2. Is there some way to change the search interval to something longer, like 4 
hours?
3. I assume the search is building some sort of cache (maybe dn2uid?).  Is 
there some way to turn it off completely?
-- 
Bob Sloane
(785) 864-0444



-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/