[Samba] [Samba 4.5] Very slow LDAP Queries (almost unusable), performance tunning ?

[Gaetan SLONGO]

Dear users, 

We are facing to a big latency issue regarding the LDAP Server (both encrypted & plain). 

We have a Zarafa mail server which makes a lot of queries and puts a samba process to 100% usage. This latency makes the mail server unusable.. The mail server was previously on OpenLDAP and there was not performance issues. 

A simple LDAP query can take up to 25 sec to perform !! 

We have added some indexes : 

[root at califix ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b @INDEXLIST 
# record 1 
dn: @INDEXLIST 
@IDXONE: 1 
@IDXVERSION: 2 
@IDXATTR: objectClass 
@IDXATTR: msDS-Cached-Membership-Time-Stamp 
@IDXATTR: userPrincipalName 
@IDXATTR: rpcNsInterfaceID 
@IDXATTR: fileExtPriority 
@IDXATTR: dnsRoot 
@IDXATTR: mSMQLabelEx 
@IDXATTR: dNSTombstoned 
@IDXATTR: msDS-PhoneticCompanyName 
@IDXATTR: msSFU30Domains 
@IDXATTR: dhcpType 
@IDXATTR: ou 
@IDXATTR: gidNumber 
@IDXATTR: msFVE-VolumeGuid 
@IDXATTR: msTSManagingLS2 
@IDXATTR: implementedCategories 
@IDXATTR: oMTIndxGuid 
@IDXATTR: cOMClassID 
@IDXATTR: volTableIdxGUID 
@IDXATTR: l 
@IDXATTR: mSMQDigests 
@IDXATTR: msTSExpireDate4 
@IDXATTR: flatName 
@IDXATTR: msSFU30YpServers 
@IDXATTR: packageFlags 
@IDXATTR: mSMQOwnerID 
@IDXATTR: objectCategory 
@IDXATTR: msSFU30IsValidContainer 
@IDXATTR: msTSProperty02 
@IDXATTR: mS-DS-CreatorSID 
@IDXATTR: proxyAddresses 
@IDXATTR: msPKI-Cert-Template-OID 
@IDXATTR: uNCName 
@IDXATTR: mS-SQL-Name 
@IDXATTR: fSMORoleOwner 
@IDXATTR: msSFU30NisDomain 
@IDXATTR: otherMailbox 
@IDXATTR: location 
@IDXATTR: msSFU30NetgroupHostAtDomain 
@IDXATTR: uSNChanged 
@IDXATTR: sIDHistory 
@IDXATTR: birthLocation 
@IDXATTR: msDS-SecondaryKrbTgtNumber 
@IDXATTR: msTSProperty01 
@IDXATTR: msTSManagingLS4 
@IDXATTR: msSFU30OrderNumber 
@IDXATTR: msDS-HABSeniorityIndex 
@IDXATTR: primaryGroupID 
@IDXATTR: mSMQQueueType 
@IDXATTR: msDFSR-ReplicationGroupGuid 
@IDXATTR: msDS-PhoneticDepartment 
@IDXATTR: mail 
@IDXATTR: msSFU30Name 
@IDXATTR: msSFU30NetgroupUserAtDomain 
@IDXATTR: fromServer 
@IDXATTR: displayName 
@IDXATTR: msTSLicenseVersion2 
@IDXATTR: groupType 
@IDXATTR: msTSLicenseVersion3 
@IDXATTR: msTSLicenseVersion4 
@IDXATTR: userAccountControl 
@IDXATTR: physicalLocationObject 
@IDXATTR: servicePrincipalName 
@IDXATTR: msTSExpireDate 
@IDXATTR: serviceClassName 
@IDXATTR: lDAPDisplayName 
@IDXATTR: zarafaAccount 
@IDXATTR: terminalServer 
@IDXATTR: givenName 
@IDXATTR: msTSManagingLS3 
@IDXATTR: msSFU30MaxUidNumber 
@IDXATTR: msDS-Entry-Time-To-Die 
@IDXATTR: msTSLSProperty01 
@IDXATTR: msDS-PhoneticFirstName 
@IDXATTR: trustPartner 
@IDXATTR: msTSLSProperty02 
@IDXATTR: msTSExpireDate3 
@IDXATTR: objectGUID 
@IDXATTR: showInAdvancedViewOnly 
@IDXATTR: rpcNsTransferSyntax 
@IDXATTR: sAMAccountName 
@IDXATTR: mS-SQL-Version 
@IDXATTR: msDS-Site-Affinity 
@IDXATTR: sn 
@IDXATTR: name 
@IDXATTR: nETBIOSName 
@IDXATTR: sAMAccountType 
@IDXATTR: msTSManagingLS 
@IDXATTR: msDFSR-DfsPath 
@IDXATTR: altSecurityIdentities 
@IDXATTR: USNIntersite 
@IDXATTR: msSFU30MasterServerName 
@IDXATTR: msDS-PhoneticLastName 
@IDXATTR: cn 
@IDXATTR: netbootGUID 
@IDXATTR: lastLogonTimestamp 
@IDXATTR: legacyExchangeDN 
@IDXATTR: mSMQLabel 
@IDXATTR: uSNCreated 
@IDXATTR: mS-SQL-Database 
@IDXATTR: msDS-PhoneticDisplayName 
@IDXATTR: msSFU30MaxGidNumber 
@IDXATTR: rpcNsObjectID 
@IDXATTR: timeVolChange 
@IDXATTR: msTSExpireDate2 
@IDXATTR: groupAttributes 
@IDXATTR: physicalDeliveryOfficeName 
@IDXATTR: msFVE-RecoveryGuid 
@IDXATTR: msDS-AdditionalSamAccountName 
@IDXATTR: objectSid 
@IDXATTR: keywords 
@IDXATTR: mS-SQL-Alias 
@IDXATTR: invocationId 
@IDXATTR: msTSLicenseVersion 
@IDXATTR: requiredCategories 
@IDXATTR: msDS-AzObjectGuid 
distinguishedName: @INDEXLIST 

There is any way to improve LDAP responses times ? It seems there is only one process which is managing LDAP queries (no forks/threads?) 

Thank you in advance for your help !!