HPE Community
Operating System - HP-UX
1834253 Members
2185 Online
110066 Solutions
New Discussion

Re: LDAP-UX client with Active Directory is slow.

 
Kevin Conley
Occasional Contributor

‎01-14-2010 02:21 PM

‎01-14-2010 02:21 PM

LDAP-UX client with Active Directory is slow.

Hi All,

I have LDAP-UX set up to talk to Active Directory. I have caching enabled but pwgets take about .5 seconds even when cached. They take 1.5 seconds if they aren't.

Is this typical? I was expecting that cached entries would be faster.

Thanks,
Kevin
0 Kudos
Reply
5 REPLIES 5
Viktor Balogh
Honored Contributor

‎01-15-2010 06:23 AM

‎01-15-2010 06:23 AM

Re: LDAP-UX client with Active Directory is slow.

There is a so-called password caching daemon, look for it in the process tree if it is running.

# ps -ef | grep pwgrd

You can see it's hit ratio with the interactive pwgr_stat command.
****
Unix operates with beer.
0 Kudos
Reply
Kevin Conley
Occasional Contributor

‎01-15-2010 10:54 AM

‎01-15-2010 10:54 AM

Re: LDAP-UX client with Active Directory is slow.

I've looked at this and it helps with caching the password that's used to talk to the AD server but not for the UID to account lookups that I'm doing. I even turned on the "with NIS+" option. The cache and hash hit rate is 0.00%.

Other thoughts?
0 Kudos
Reply
Bob Neal-Joslin
Trusted Contributor

‎01-20-2010 11:02 AM

‎01-20-2010 11:02 AM

Re: LDAP-UX client with Active Directory is slow.

Hi Kevin,

Once cached, lookups should be very quick. Are you doing your tests using pwget [man pwget(1)] and seeing the slow results or some other method? And are you doing enumeration or just single lookups (sounds like the later).

One thing you could try is see if the performance can be attributed directly to LDAP-UX or the directory server. Try this ldapsearch command and see how long it takes.

/opt/ldapux/bin/ldapsearch -b "" -h "" -D "username@domain" -w "" "(&(objectclass=user)(uidnumber=))" dn

If that's fast, then there is something going on inside ldapux itself.

One other thing to do would be to post data from your ldapclientd configuration and statistics. Could you post the contents /etc/opt/ldapux/ldapclientd.conf and /etc/nsswitch.conf. And also, could you display the output of /opt/ldapux/bin/ldapclientd -S passwd, both before and after running the "pwget -u " command?

Be sure to check that no confidential data is in any of the output you post.

BTW, I'm not sure what you mean by "with NIS+". Could you clarify?

Bob
0 Kudos
Reply
Kevin Conley
Occasional Contributor

‎01-22-2010 11:19 AM

‎01-22-2010 11:19 AM

Re: LDAP-UX client with Active Directory is slow.

I have adjusted the base dn to just look in the OU=User_Accounts. That helped quite a bit.

The other thing that I discovered after painful scrutiny is that the ldapclientd.conf file I had (from one of the templates) did not have poscache_ttl or negcache_ttl values in each of the cache sections, i.e. passwd.

UGGGGGHHHHhhhh!

After I added those entries for the things I wanted to cache, I could use pwget -n on 1000 unique users and it would cache them in 2 minutes, 15 seconds. Then I could re-run that same set of users and it finished in 35 seconds!

That's much closer to what I would have expected.

Thanks,
Kevin
0 Kudos
Reply
Bob Neal-Joslin
Trusted Contributor

‎01-22-2010 02:15 PM

‎01-22-2010 02:15 PM

Re: LDAP-UX client with Active Directory is slow.

Hi Kevin,

Glad you worked it out. Just so you know, the default cache time (if it's enabled but not specified in the ldapclientd.conf file) for passwd and group is 120 seconds. The defaults are listed in the ldapclientd.conf man page "man 4 ldapclient.conf". The 4 is required because the man subsystem trims names and thus would not be able to distinguish from the ldapclientd(1m) man page.)

Bob
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.