[Dovecot] LDAP auth load? (looking for advice)
One of the changes my beta testers are testing is switching from NIS to LDAP for login/auth/homedir lookups; all is working perfectly, Dovecot + PAM/nss_ldap is A-OK. No issues here, we've been using LDAP lookups on other servers for years.
I'm wondering about load, specifically if when I switch the entire company over, will the new authentication load stress my LDAP server to the point of breaking.
A) Does anyone here have some numbers or experience in this switch that could lend some real-world advice? We're talking maybe... 50 people with large (numerically, not gig-age) mailboxes, and ThunderBird seems to open 4-5 connections per client based on the logs.
B) Would anyone advise that I run a slapd slave directly on the main Dovecot server to alleviate load? Is this overkill and I shouldn't worry about it?
Mainly what has me concerned is that on the Dovecot machine, I'm getting a number of entries in the messages that look like:
dovecot-auth: nss_ldap: reconnecting to LDAP server... dovecot-auth: nss_ldap: reconnected to LDAP server after 1 attempt(s)
No failures ever, it all just works. But still this tickles my brain that maybe it'll need more robustness come production time.
Thanks for your feedback, -te
-- Troy Engel | Systems Engineer Fluid Inc. | http://www.fluid.com
Hello,
On Sat, Feb 17, 2007 at 08:51:00AM -0800, Troy Engel wrote: [...]
Mainly what has me concerned is that on the Dovecot machine, I'm getting a number of entries in the messages that look like:
dovecot-auth: nss_ldap: reconnecting to LDAP server... dovecot-auth: nss_ldap: reconnected to LDAP server after 1 attempt(s)
No failures ever, it all just works. But still this tickles my brain that maybe it'll need more robustness come production time.
By the way LDAP auth:
We have serious problem with LDAP auth in Dovecot before rc18 or such: though it turned out it sould be an OpenLDAP problem instead (but we can't change the server). I've got an own stretch test, which does quite large amount of POP3 sessions in paralell: before rc18 only after some seconds, some fault was occured and dovecot auth starts blocking further requests. I've tested rc22 some days ago: I can't detect a single failure anymore :)
--
- Gábor
<quote who="Gábor Lénárt"> > Hello, > > On Sat, Feb 17, 2007 at 08:51:00AM -0800, Troy Engel wrote: > [...] >> Mainly what has me concerned is that on the Dovecot machine, I'm getting >> a number of entries in the messages that look like: >> >> dovecot-auth: nss_ldap: reconnecting to LDAP server... >> dovecot-auth: nss_ldap: reconnected to LDAP server after 1 attempt(s) >> >> No failures ever, it all just works. But still this tickles my brain >> that maybe it'll need more robustness come production time. > > By the way LDAP auth: > > We have serious problem with LDAP auth in Dovecot before rc18 or such: > though it turned out it sould be an OpenLDAP problem instead (but we can't > change the server).
What version of OpenLDAP and problem?
I've got an own stretch test, which does quite large amount of POP3 sessions in paralell: before rc18 only after some seconds, some fault was occured and dovecot auth starts blocking further requests. I've tested rc22 some days ago: I can't detect a single failure anymore :)
--
- Gábor
On 2/17/07, Troy Engel tengel@fluid.com wrote:
One of the changes my beta testers are testing is switching from NIS to LDAP for login/auth/homedir lookups; all is working perfectly, Dovecot + PAM/nss_ldap is A-OK. No issues here, we've been using LDAP lookups on other servers for years.
I'm wondering about load, specifically if when I switch the entire company over, will the new authentication load stress my LDAP server to the point of breaking.
I run ~1100 mailboxes using Dovecot/Postfix with LDAP for all lookups. The LDAP server(s) don't even begin to sweat. LDAP is highly optimized for many, many reads/second and is used as the directory service for sites much larger than ours.
-Ben
On Mon, 2007-02-19 at 11:31 -0600, Ben Beuchler wrote:
On 2/17/07, Troy Engel tengel@fluid.com wrote:
One of the changes my beta testers are testing is switching from NIS to LDAP for login/auth/homedir lookups; all is working perfectly, Dovecot + PAM/nss_ldap is A-OK. No issues here, we've been using LDAP lookups on other servers for years.
I'm wondering about load, specifically if when I switch the entire company over, will the new authentication load stress my LDAP server to the point of breaking.
I run ~1100 mailboxes using Dovecot/Postfix with LDAP for all lookups. The LDAP server(s) don't even begin to sweat. LDAP is highly optimized for many, many reads/second and is used as the directory service for sites much larger than ours.
I can only support this, we are running dovecot with approx. 3K of mailboxes and our OpenLDAP does not even notice what is happening :-)
You can & should however optimize the LDAP server in terms of indices and such. For OpenLDAP and the qmail schema that would be for example:
--------CUT------- index objectClass eq index mailAlternateAddress pres,eq index mail pres,eq --------CUT-------
-- Udo Rader
bestsolution.at EDV Systemhaus GmbH http://www.bestsolution.at
Udo Rader wrote:
index objectClass eq index mailAlternateAddress pres,eq index mail pres,eq
Thanks Udo (& Ben) for the words of encouragement, I have nowhere near 1100 mailboxes. :) I do run with the below indexes, though, that seems to provide very good performance:
index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial
Lookups happen not only for standard machine (nss_ldap) auth from various sources, but all ThunderBird clients as an address book; hence those given/surname indexes you see above.
-te
-- Troy Engel | Systems Engineer Fluid, Inc | http://www.fluid.com
participants (5)
-
Ben Beuchler
-
Gavin Henry
-
Gábor Lénárt
-
Troy Engel
-
Udo Rader