[389-users] 389-DS poor performance retrieving groups

Mark Reynolds mareynol at redhat.com
Wed Aug 5 19:02:41 UTC 2015 


On 08/05/2015 02:31 PM, ghiureai wrote:
>
>
>   Mark, would be accepted to accommodate only  substring indexes
>   followed by wild char than ?
>   aka :cn=abc*,
>   cn=efg*  .... may need couple of this indexes.
>
in fact cn=ab* is fine as this is translated to the key "^ab", but if 
you use two surrounding wildcards then you must use 3 characters:  cn=*abc*

Regards,
Mark
>
>
>
>   Thank you
>
>
>   [389-users] 389-DS poor performance retrieving groups
>
> On 08/05/2015 08:24 AM, Mark Reynolds wrote:
> >/
> />/
> />/  On 08/04/2015 11:57 AM, ghiureai wrote:
> />>/  <https://www.flowdock.com/app/canfar/access-control/threads/QyygOboGumgx3qw3tIO_828AMgQ>
> />>/
> />>/  We are seeing poor performance from LDAP retrieving 2500-4500 entries
> />>/  compare with one of our regular RDBMS , here is bellow the result for
> />>/  a ldapsearch.
> />>/  We are questioning if for general cn=(.*..) search string , LDAP has
> />>/  to run  a round trip for each  subset result entry ?
> />>/
> />>/  What cfg needs tuned to  see some performance improvements beside
> />>/  cache mem size ?
> />>/
> />>/  ldapsearch -x -s one -H  -b 'ou=Groups,ou=ds,dc=cxxx,dc=net' -W -D
> />>/  'uid=xx,ou=Users,ou=ds,dc=cxxxr,dc=net' 'cn=*MT*' 'cn, nsaccountlock'
> />/  Okay so this is probably unindexed, and the requested access log
> />/  snipet will confirm this. If you see notes=U or notes=A then we can
> />/  tune the id scan limit for that search:
> />/
> />/
> />/  Assuming this is the only search that is giving you issues:
> />/
> />/  Example:
> />/
> />/
> />/  # ldapmodify <fill in the required parameters>
> />/  |dn: cn=cn,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
> />/  changetype: modify
> />/  add:|||nsIndexIDListScanLimit|
> />/  nsIndexIDListScanLimit: limit=-1 type=sub values=*mt,mt*
> />/
> />/
> />/
> />/  If there are other substring searches around the "cn" attribute you are having issues with, you can modify this to be:
> />/
> />/  |# ldapmodify <fill in the required parameters>
> />/
> />/  |dn: cn=cn,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
> />/  changetype: modify
> />/  add:|||nsIndexIDListScanLimit|
> />/  nsIndexIDListScanLimit: limit=-1 type=sub|
> /I'm on a roll today :-( sorry so this is not going to solve the issue.
> There is no way to index or improve this type of search filter's
> performance (cn=*mt*).  If this is a reoccurring search filter, and your
> client can be adjusted to use vlv indexes, then that might be option.
> See the admin guide for more info on VLV searches/indexes.
>
> Regards,
> Mark
> >/
> />
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20150805/ca6812ed/attachment.html>

More information about the 389-users mailing list