[Samba] High cpu load on LDAP

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Wed Dec 11 21:30:59 UTC 2024


hi Marco,

> I've noted that there's no info on samba wiki on index manipulation. And
> i've some doubt.

Doubt is usually appropriate.

>> and trigger a reindex.
> 
> With:
> 	samba-tool dbcheck --reindex
> 
> rigth?!

That looks right (I haven't done this myself, so I was being 
deliberately vague).

>> The thing that determines whether an attribute is indexed its schema
>> definition has an odd number (or in some versions, the string
>> "fATTINDEX") for the searchFlags attribute.
>> There is this samba-tool command:
>> samba-tool schema attribute \
>>       modify  \
>>       member \
>>      --searchflags="fATTINDEX" \
>>      --option="dsdb:schema update allowed = true"
> 
> In the past i've added index (eg, for an added 'lasr draft' schema) as:
> 
> 	ldbedit -H /var/lib/samba/private/sam.ldb -b CN=mailLocalAddress,CN=Schema,CN=Configuration,DC=ad,DC=mydomain,DC=it --option="dsdb:schema update allowed"=true
> 
> and adding:
> 
> 	searchFlags: 1
> 
> it is the same? It is safest to use 'samba-tool'?

That is doing the same thing. Samba-tool is just doing an ldb edit, and 
"fATTINDEX" is a fancy way of writing "1" for searchFlags.

I guess samba-tool lowers the risk of pushing the wrong buttons in vim 
and ruining everything.

> But the more general question is: AFAIK the Samba AD schema is as compatible
> as possible to the MS AD schema; so MS AD schema have no 'member' index by
> default? And if true, why?
> 
> Or MS AD have no 'index' concept whatsoever and manage AD performance in
> other way?

These are good question. MS AD does have indexes (that is what 
"searchFlags: 1" is for), but they never index linked attributes like 
member.

I touched on this further back in the thread, and I think there are two 
reasons:

1. MS AD probably uses memberOf as an index for member.

An index on member would be used to answer the question "what objects 
have a member attribute with the value X?". But "member" is a linked 
attribute, which means there is an automagical backlink attribute 
("memberOf") on the object it points to. So you can answer the question 
by rephrasing it as "what objects are pointed to by the memberOf 
attributes of X?", then just looking up X. That should be about as fast 
as an index.

Samba AD does not do this rephrasing, probably because in the distant 
past (a) it was not used at scale, (b) we didn't trust our backlinks, 
and (c) we didn't think of it. We could/should do it now, but it will 
take a bit of work.

2. People use MS AD differently.

My guess is that a lot of things that seem common in large Samba AD 
deployments, like OpenLDAP integrations and so forth, are not that 
common in MS-only organisations.

cheers,
Douglas




More information about the samba mailing list