(RADIATOR) AuthLDAP2 and OpenLDAP2
Neale Banks
neale at lowendale.com.au
Fri May 11 01:03:49 CDT 2001
With AuthLDAP2 and OpenLDAP, the out-of-box performace was *horrible*
(like well under 10requests/sec). This was identified as
inefficiencies in the LDAP lookups, using BaseDN="ou=foo,o=bar,c=au".
In testing the ldap lookup, it was found that using
BaseDN="uid=user,ou=foo,o=bar,c=au" resulted in both an *enourmous*
performance increase and *much* less CPU usage by slapd, due to the
way the indexes are constructed.
How to implement this in Radiator? The attached patchlet adds %0 and
%1 substitution for BaseDN, the same as is for SearchFilter. Then use:
BaseDN %0=%1,ou=foo,o=bar,c=au
Scope base
Testing with radpwtst now gets ~40req/sec and cutting live shows all
working as expected.
Feedback on anything that looks sub-optimal (or even downright wrong)
would be greatly appreciated.
Thanks,
Neale.
-------------- next part --------------
--- AuthLDAP2.pm-orig Thu Apr 26 09:47:28 2001
+++ AuthLDAP2.pm Fri May 11 10:39:27 2001
@@ -288,10 +288,14 @@
my $filter = &Radius::Util::format_special($self->{SearchFilter},
$p, $rp,
$self->{UsernameAttr},
$name);
+ my $basedn = &Radius::Util::format_special($self->{BaseDN},
+ $p, $rp,
+ $self->{UsernameAttr},
+ $name);
# $filter = eval qq/"$filter"/; # Interpolate perl vars
# print "base $self->{BaseDN}, filter $filter, @attrs\n";
# We evaluate the search
# with an alarm for the timeout period
@@ -303,11 +307,11 @@
unless ($^O eq 'MSWin32' || !$self->{Timeout});
alarm($self->{Timeout})
unless ($^O eq 'MSWin32' || !$self->{Timeout});
$result = $self->{ld}->search
- (base => $self->{BaseDN},
+ (base => $basedn,
scope => $self->{Scope},
filter => $filter,
attrs => \@attrs);
};
More information about the radiator
mailing list