[Samba] Samba 4 LDAP/LDB search speed
mat at samba.org
Thu Oct 2 20:02:52 MDT 2014
On 10/01/2014 12:00 AM, Roel van Meer wrote:
> Marc Muehlfeld writes:
>> When you say converting from Samba 3 to Samba 4 do you mean migrating
>> your NT4-domain to an Samba AD or continue using Samba 4 as an NT4
> We want to go to Samba AD.
>> > While testing, it seems that the S4 LDAP server is a lot slower than
>> > OpenLDAP.
>> Based on that, I guess you ment you want to switch over to Samba AD.
>> > 1. What is the expected performance of the S4 LDAP server? E.g. if
>> > someone could give me a rough estimate on the number of simple queries
>> > per second on average hardware, then I can see if my setup is
>> > as expected or not.
>> We can't say that in general. This depents on many things, like how many
>> objects you are storing in your AD (users, accounts, groups), AD
>> features you use and their configuration (e. g. tombstone lifetime), and
>> surely also about the amount of additional ACLs (e. g. if you have many
>> Please give some more information about your environment and the
>> expected size of your database. Then surely someone here with a similar
>> installation size can tell you some experiences.
> We're still just testing things. We now have maybe 10 users in the
> database, and nothing special at all, no additional anything.
> I'm just worried, given the big difference in speed between queries in
> OpenLDAP and queries in Samba 4, that the system won't perform very
> well if Postfix and Zarafa are going to do a lot of LDAP queries.
The internal LDAP server is not super tuned right now, we could cache
some responses for better performance.
>> If I output all entries of my small test environment which have an 'cn'
>> (3441 records), it's done quite fast:
>> # time ldbsearch -H /usr/local/samba/private/sam.ldb cn=* --cross-ncs >
>> /dev/null 2>&1
>> real 0m0.719s
>> user 0m0.594s
>> sys 0m0.088s
> On my system, with 3555 records:
> real 0m1.528s
> user 0m1.300s
> sys 0m0.160s
> And on another, with 3476 records:
> real 0m2.297s
> user 0m2.150s
> sys 0m0.130s
>> Doing the same via network against the second DC:
>> # time ldbsearch -H ldap://DC2:389 cn=* --cross-ncs
>> -Uadministrator%xxxxx > /dev/null 2>&1
>> real 0m1.082s
>> user 0m0.418s
>> sys 0m0.038s
> For me, via network but to localhost:
> real 0m3.454s
> user 0m1.220s
> sys 0m0.530s
> and on the other:
> real 0m8.249s
> user 0m4.020s
> sys 0m1.600s
> This is on quite ordinary hardware, with an otherwise idle system. If
> I compare it to the values you posted it seems there is a lot of room
> for improvement. That is good. Now the challenge is to find where the
> slowness occurs. :)
That's not too much surprising and in the same time that's not that bad.
When you do --cross-ncs you are bypassing a lot of indexing stuff so
usually you don't want to do that.
So if you want to go further we need to understand what is the problem
really, one way to do so is to recompile your samba with the developer
mode so that we have symbols. Then I would start it with callgrind and
then run your test to see what is the hot point, if you can share with
me the output of callgrind.
Also I would tune a bit your request, your request is using indexes but
the first one is quite general so we will end up loading a lot of
objects, instead I would do the most restrictive attribute first and so
on, it shouldn't be too complicated to patch samba to do so as well.
More information about the samba