Performance Tuning for OpenLDAP

Performance Tuning

Unless you have an extremely large database, getting extremely fast queries out of OpenLDAP is pretty straight forward. There are two things one must account for: memory cache and indexing.

Here is the relevent section of from my slapd.conf:

.... database ldbm suffix "dc=k12, dc=or, dc=us" directory /var/lib/ldap rootdn "cn=admin, dc=k12, dc=or, dc=us" rootpw {crypt}OVe8hef4ftavo cachesize 1000000 dbcachesize 10000000 index objectclass,userpassword,createtimestamp,creatorsname none index default ....

Caching

Caches are configured on a per-database basis. The cache is set by the parameters cachesize and dbcachesize. The cachesize is size in entries of the in-line cache. dbcachesize is the size in bytes of the in-line cache.

The size of dbcachesize should be big enough to hold your largest index file (*.dbb). dbcachesize speeds up the creation of indexes when adding or modifying entries. The original University of Michigan slapd documentation (which OpenLDAP is based on) implies that dbcachesize should be turned off when you are not loading data into the server in order to save memory. Memory is cheap, so I leave mine on.

The LDBM database spends much of its time reading entries from the id2entry file. If cachesize is large enough to hold the entires in id2entry, performance will increase significantly. Again, memory is cheap so I set this cache value high.

Indexing

The most important configuration item is the index. Indexing increases the amount of time required to add/modify an entry, but vastly improves search times.

If your directory is strongly biased towards reads rather than writes, you may want to index most attributes:

index objectclass,userpassword,createtimestamp,creatorsname none index default

The first line tells OpenLDAP not to index attributes which are rarely searched (adjust to fit your needs). The second line tell OpenLDAP to index all other attributes.

If write performance is critical, you can index only the most commonly search attributes. For example:

index cn index sn,uid,mail eq,sub index default none

This example will index cn for all search types (equality, substring, approximate, and presence); the sn,uid, and mail attributes will only be indexed for equality and substrings; and all other attributes will not be indexed.

Important Note: You must configure your index before you load your data into the LDAP server! If you would like to reindex your databases after your data is loaded: 1) shutdown the ldap server, 2) backup your databases (you always do that, don't you? :-), 3) run lbmcat id2entry.dbb > backup.ldif, 4) make your index changes in slapd.conf, 5) run ldif2ldbm -i backup.ldif, and then 6) restart the ldap server.

Load Balancing

If you carefully tune the cache and indices for maximum performance, and you are still bogging down, you can spread the load over multiple servers. Take a look at the high availability documentation to set this up.

back to the main page