> On Oct 24, 2018, at 2:05 PM, Michael Di Domenico <mdidomeni...@gmail.com> 
> wrote:
> 
> On Wed, Oct 24, 2018 at 1:51 PM Ryan Novosielski <novos...@rutgers.edu> wrote:
>> On 10/24/2018 01:44 PM, Michael Di Domenico wrote:
>>> i don't want to diverge this thread from the OP, but how fast does
>>> ldap really need to be?  i have ~700 machines talking to two
>>> openldap servers w/ ssl enabled.  we have to run nslcd on the
>>> clients, but all is well
>> 
>> It's somewhat relevant, given someone's consideration of migration.
>> 
>> Faster than ours! We have a single at the moment (the VM is movable so
>> we don't really need it for high availability), but we are having
>> problems with certain operations (like ls -la /home). Our case appears
>> as if it might be related to our VM infrastructure or some tuning
>> parameter that is very wrong. I've done the usual things (indexing on
>> uidNumber and gidNumber, etc.) but haven't had a ton of luck so far.
> 
> dunno, there's a lot of variables at play to make a suggestion.  but i
> don't recall doing anything overlay special.  nslcd was one thing we
> absolutely had to run, we tried to avoid it at first, but the lookups
> across the enterprise crushed the server.  with nslcd running the ldap
> server load is generally low.  we can spike it though with a
> large/fast rsync or someother filer heavy action, but most of our
> users cannot.
> 
> how many objects do you have in your tree?  are you storing more then
> passwd/shadow/group info?

Our LDAP is very small, compared to the sorts of things some people run.

We added indexes today on uid, uidNumber, and gidNumber and the problem went 
away. Didn’t try it earlier as it had virtually no impact on our testing system 
for whatever reason, but on a different testing system and on production, it 
dropped “ls -al /home/“ from ~90s to ~5s. I’m not sure if all three were 
necessary, but I’ll look back at that later.

We’ve run SSSD from day one, so that eliminates the nscld question. We also 
moved CentOS 5.x to SSSD, FYI (I believe there was someone else with some old 
systems around). Was pretty painless, and SSSD eliminates a lot of problems 
that exist with the older stuff (including some really boneheaded very large 
LDAP queries that were happening routinely with the older nss-ldap software if 
I’m remembering its name correctly).

--
____
|| \\UTGERS,     |---------------------------*O*---------------------------
||_// the State  |         Ryan Novosielski - novos...@rutgers.edu
|| \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus
||  \\    of NJ  | Office of Advanced Research Computing - MSB C630, Newark
     `'

_______________________________________________
Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit 
http://www.beowulf.org/mailman/listinfo/beowulf

Reply via email to