[Samba] Samba 4 LDAP/LDB search speed

Matthieu Patou mat at samba.org
Thu Oct 2 20:02:52 MDT 2014

On 10/01/2014 12:00 AM, Roel van Meer wrote:
> Marc Muehlfeld writes:
>> When you say converting from Samba 3 to Samba 4 do you mean migrating
>> your NT4-domain to an Samba AD or continue using Samba 4 as an NT4 
>> domain?
> We want to go to Samba AD.
>> > While testing, it seems that the S4 LDAP server is a lot slower than
>> > OpenLDAP.
>> Based on that, I guess you ment you want to switch over to Samba AD.
> Correct.
>> > 1. What is the expected performance of the S4 LDAP server? E.g. if
>> > someone could give me a rough estimate on the number of simple queries
>> > per second on average hardware, then I can see if my setup is 
>> performing
>> > as expected or not.
>> We can't say that in general. This depents on many things, like how many
>> objects you are storing in your AD (users, accounts, groups), AD
>> features you use and their configuration (e. g. tombstone lifetime), and
>> surely also about the amount of additional ACLs (e. g. if you have many
>> delegations).
>> Please give some more information about your environment and the
>> expected size of your database. Then surely someone here with a similar
>> installation size can tell you some experiences.
> We're still just testing things. We now have maybe 10 users in the 
> database, and nothing special at all, no additional anything.
> I'm just worried, given the big difference in speed between queries in 
> OpenLDAP and queries in Samba 4, that the system won't perform very 
> well if Postfix and Zarafa are going to do a lot of LDAP queries.
The internal LDAP server is not super tuned right now, we could cache 
some responses for better performance.
>> If I output all entries of my small test environment which have an 'cn'
>> (3441 records), it's done quite fast:
>> # time ldbsearch -H /usr/local/samba/private/sam.ldb cn=* --cross-ncs >
>> /dev/null 2>&1
>> real    0m0.719s
>> user    0m0.594s
>> sys     0m0.088s
> On my system, with 3555 records:
> real    0m1.528s
> user    0m1.300s
> sys     0m0.160s
> And on another, with 3476 records:
> real    0m2.297s
> user    0m2.150s
> sys     0m0.130s
>> Doing the same via network against the second DC:
>> # time ldbsearch -H ldap://DC2:389 cn=* --cross-ncs
>> -Uadministrator%xxxxx > /dev/null 2>&1
>> real    0m1.082s
>> user    0m0.418s
>> sys     0m0.038s
> For me, via network but to localhost:
> real    0m3.454s
> user    0m1.220s
> sys     0m0.530s
> and on the other:
> real    0m8.249s
> user    0m4.020s
> sys     0m1.600s
> This is on quite ordinary hardware, with an otherwise idle system. If 
> I compare it to the values you posted it seems there is a lot of room 
> for improvement. That is good. Now the challenge is to find where the 
> slowness occurs. :)
That's not too much surprising and in the same time that's not that bad.

When you do --cross-ncs you are bypassing a lot of indexing stuff so 
usually you don't want to do that.

So if you want to go further we need to understand what is the problem 
really, one way to do so is to recompile your samba with the developer 
mode so that we have symbols. Then I would start it with callgrind and 
then run your test to see what is the hot point, if you can share with 
me the output of callgrind.

Also I would tune a bit your request, your request is using indexes but 
the first one is quite general so we will end up loading a lot of 
objects, instead I would do the most restrictive attribute first and so 
on, it shouldn't be too complicated to patch samba to do so as well.


Matthieu Patou
Samba Team

More information about the samba mailing list