RSS feed

Re: Problems with excessive LDAP CPU usage.

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Problems with excessive LDAP CPU usage.

On Mon, 2012-02-27 at 22:48 +0000, Sloane, Robert Raymond wrote:
> 1. Is there some way to specify that passwd entries need to be a
> member of a particular group other than using isMemberOf?

Not that I know of but it depends on your environment. If you can come
up with an LDAP search that returns only the desired entries nslcd can
probably be configured to use that search instead.

Sadly, there is no LDAP equivalent for the SQL join.

You could try to tune your LDAP server to perform these searches faster.
You could try more indexes or get less attributes (you can map
attributes to a static expression in nslcd.conf).

> 2. Is there some way to change the search interval to something
> longer, like 4 hours?
> 3. I assume the search is building some sort of cache (maybe dn2uid?).
> Is there some way to turn it off completely?

It is not nslcd that initiates the search. It only handles searches as
requested by some other application. The 5 minute interval seems to
suggest that a cron job is requesting all the users on the system.

You could run nslcd in debug mode (start with -d) to find out more
information about who is performing these requests.

There is also no easy way to cache these kind of queries. nscd doesn't
provide caching for these kind of queries (get all entries).

The pynslcd implementation in recent versions of nss-pam-ldapd provides
some caching functionality that could be extended to also cache these
kind of requests but it is currently not as complete as nslcd and
certainly not as well tested.

Assistance and testing is more than welcome for pynslcd. In my test
environment with 2000 users the cache is faster than an LDAP server on

Hope this helps,

-- arthur - - --
To unsubscribe send an email to or see