RE: Problems with excessive LDAP CPU usage.
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
RE: Problems with excessive LDAP CPU usage.
- From: "Sloane, Robert Raymond" <sloane [at] ku.edu>
- To: "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: RE: Problems with excessive LDAP CPU usage.
- Date: Tue, 6 Mar 2012 20:38:33 +0000
Just to close this out, it turns out that our syslog monitor/aggregation system
(splunk) was running a lastlog command every 5 minutes, which was generating
the query.
Thanks for all the help.
--
Bob Sloane
(785) 864-0444
-----Original Message-----
From: Sloane, Robert Raymond
Sent: Monday, February 27, 2012 4:48 PM
To: 'nss-pam-ldapd-users@lists.arthurdejong.org'
Subject: Problems with excessive LDAP CPU usage.
We have a problem with our LDAP server (Oracle DSEE version 6.3). We are seeing
CPU usage that appears to be related to nss-pam-ldapd (version 0.8.6 on RHEL).
We are seeing searches like:
SRCH base="ou=people,dc=ku,dc=edu" scope=2 filter="(objectClass=posixAccount)"
attrs="loginShell cn gidNumber uidNumber objectClass homeDirectory uid"
SRCH base="ou=people,dc=ku,dc=edu" scope=2 filter="(objectClass=posixAccount)"
attrs="loginShell cn gidNumber uidNumber objectClass homeDirectory uid"
They appear to happen every 5 minutes. We tracked them down to nslcd, and
verified that was the origin by changing the "filter passwd" entry in the
nslcd.conf file, which caused the search to use the new filter:
SRCH base="ou=people,dc=ku,dc=edu" scope=1
filter="(isMemberOf=cn=authorized-users,...dc=ku,dc=edu)" attrs="loginShell cn
gidNumber uidNumber objectClass homeDirectory uid"
SRCH base="ou=people,dc=ku,dc=edu" scope=1
filter="(isMemberOf=cn=authorized-users,...dc=ku,dc=edu)" attrs="loginShell cn
gidNumber uidNumber objectClass homeDirectory uid"
The problem is that we have about 300,000 users with objectclass=posixaccount,
so the above search is taking almost 5 minutes to complete, and the one CPU is
maxed out on the LDAP server during that period.
Normally only about 4,000 users are allowed to log in to that server, based on
membership in an LDAP group, but changing to:
filter passwd
(isMemberOf=cn=authorized-users,ou=people.ku.edu,ou=Pam-LDAP,ou=automatic,ou=groups,dc=ku,dc=edu)
doesn't help, because isMemberOf is calculated on the fly, and still takes
several minutes for the search, with the CPU busy.
My questions are:
1. Is there some way to specify that passwd entries need to be a member of a
particular group other than using isMemberOf?
2. Is there some way to change the search interval to something longer, like 4
hours?
3. I assume the search is building some sort of cache (maybe dn2uid?). Is
there some way to turn it off completely?
--
Bob Sloane
(785) 864-0444
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/