« Struggling with Advanced Format during a LVM to RAID migration | Home | PHP and big numbers »

November 30, 2011

LDAP performance is poor..

Todays rant of the day:In a popular LDAP directory management tool, not to be named, there is a message indicating that the performance of the LDAP server is poor. While this might still be true: Honestly, building LDAP filters like you and then complaining about the LDAP server is like, lets say, searching papers in the whole city, while you know they are certainly located within a single drawer, in a single closet, in a single room of your apartment and blaming the city council because your search took so damn long.What a mockery.

4 Comments

Compared to other common directory servers, OpenLDAP performance is abysmal. Doesn't matter what your query is -- even running a query on an OpenLDAP server with < 100 entries is far too slow. It's why Samba4 is taking their own approach. I think Redhat's solution does too.

You are absolutely right. And on the other hand absolutely wrong.

First: I was not mentioning OpenLDAP at all (also indeed this is the backend of the application).

Second: I already acknowledged the fact that the server may be slow. In case of OpenLDAP that may or may not be the case, however its totally unrelated to the app in question.

With respect to the OpenLDAP rant: I have often heard that claim and yes I know there can be problems with OpenLDAP performance. But I've also learned, that often, when OpenLDAP performance is a problem, the usage/configuration is a problem as well. Using wrong backends, not setting up proper indexing, do subsearching across the whole directory with filters which basically include the whole directory are common pitfalls people tap into.

Samba4 are taking their own approach because they need some custom weird features that are hard to implement with OpenLDAP. They're also doing the same with DNS, BTW (they have some support for BIND but apparently it's not covering all of their needs).

As for Red Hat, you're probably referring to 389server (ex Fedora DS), which has its roots to the iPlanet directory server (same roots as the now killed SunDS); I presume that Red Hat are choosing that over OpenLDAP mostly because of a) some special features (like AD replication and multi-master replication) b) to differentiate themselves from the competition. It's supposed to be faster too, but I hardly think this is its main selling point (I could easily be wrong though)

@anonymous: metrics or stfu. You would have to seriously (and deliberately) cripple your OpenLDAP setup to get bad performance out of it.

Leave a comment