{"id":305,"date":"2009-10-14T11:40:25","date_gmt":"2009-10-14T11:40:25","guid":{"rendered":"https:\/\/www.bishnet.net\/tim\/blog\/?p=305"},"modified":"2010-11-11T13:28:16","modified_gmt":"2010-11-11T13:28:16","slug":"getting-the-indexes-right-for-openldap-when-using-nss","status":"publish","type":"post","link":"https:\/\/www.bishnet.net\/tim\/blog\/2009\/10\/14\/getting-the-indexes-right-for-openldap-when-using-nss\/","title":{"rendered":"Getting the indexes right for OpenLDAP when using NSS"},"content":{"rendered":"

I recently deployed a Linux system which used the libnss-ldap module to get its passwd and group information. This all worked fine except group lookups (in particular when logging in) which were extremely slow. We have about 600 groups in our directory, which isn’t massive, but is more than the average system.<\/p>\n

Clearly this wasn’t right. Initially I tried nscd, which helped, but only after it had cached the data. Then I realised it was probably the indexes in OpenLDAP. Googling didn’t turn up much of use (hence this post), but I did find this page<\/a> on the OpenLDAP site.<\/p>\n

This fairly quickly pointed me at the problem; I was missing indexes on memberUid and uniqueMember. Adding these fixed the problem completely.<\/p>\n

So here’s the indexes I’ve ended up with:<\/p>\n

index   objectClass     eq\r\nindex   cn,uid          eq\r\nindex   uidNumber       eq\r\nindex   gidNumber       eq\r\nindex   memberUid       eq\r\nindex   uniqueMember    eq\r\nindex   entryCSN        eq\r\nindex   entryUUID       eq<\/pre>\n
(the last two are for replication)<\/p>\n
I’m actually quite surprised how much the indexes matter. It makes a huge difference, even on a small setup. So if you’re setting up a directory take the time to read the Tuning section<\/a> of OpenLDAP Admin Guide<\/a> first.<\/p>\n","protected":false},"excerpt":{"rendered":"
I recently deployed a Linux system which used the libnss-ldap module to get its passwd and group information. This all worked fine except group lookups (in particular when logging in) which were extremely slow. We have about 600 groups in our directory, which isn’t massive, but is more than the average system. Clearly this wasn’t right. Initially I tried nscd, …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[116,122,118,119,117,120,121],"class_list":["post-305","post","type-post","status-publish","format-standard","hentry","category-computing","tag-index","tag-libnss-ldap","tag-nss","tag-nss_ldap","tag-openldap","tag-optimise","tag-optimize"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/posts\/305","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/comments?post=305"}],"version-history":[{"count":8,"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/posts\/305\/revisions"}],"predecessor-version":[{"id":405,"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/posts\/305\/revisions\/405"}],"wp:attachment":[{"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/media?parent=305"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/categories?post=305"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/tags?post=305"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}