[Samba] High cpu load on LDAP
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Wed Dec 11 21:30:59 UTC 2024
hi Marco,
> I've noted that there's no info on samba wiki on index manipulation. And
> i've some doubt.
Doubt is usually appropriate.
>> and trigger a reindex.
>
> With:
> samba-tool dbcheck --reindex
>
> rigth?!
That looks right (I haven't done this myself, so I was being
deliberately vague).
>> The thing that determines whether an attribute is indexed its schema
>> definition has an odd number (or in some versions, the string
>> "fATTINDEX") for the searchFlags attribute.
>> There is this samba-tool command:
>> samba-tool schema attribute \
>> modify \
>> member \
>> --searchflags="fATTINDEX" \
>> --option="dsdb:schema update allowed = true"
>
> In the past i've added index (eg, for an added 'lasr draft' schema) as:
>
> ldbedit -H /var/lib/samba/private/sam.ldb -b CN=mailLocalAddress,CN=Schema,CN=Configuration,DC=ad,DC=mydomain,DC=it --option="dsdb:schema update allowed"=true
>
> and adding:
>
> searchFlags: 1
>
> it is the same? It is safest to use 'samba-tool'?
That is doing the same thing. Samba-tool is just doing an ldb edit, and
"fATTINDEX" is a fancy way of writing "1" for searchFlags.
I guess samba-tool lowers the risk of pushing the wrong buttons in vim
and ruining everything.
> But the more general question is: AFAIK the Samba AD schema is as compatible
> as possible to the MS AD schema; so MS AD schema have no 'member' index by
> default? And if true, why?
>
> Or MS AD have no 'index' concept whatsoever and manage AD performance in
> other way?
These are good question. MS AD does have indexes (that is what
"searchFlags: 1" is for), but they never index linked attributes like
member.
I touched on this further back in the thread, and I think there are two
reasons:
1. MS AD probably uses memberOf as an index for member.
An index on member would be used to answer the question "what objects
have a member attribute with the value X?". But "member" is a linked
attribute, which means there is an automagical backlink attribute
("memberOf") on the object it points to. So you can answer the question
by rephrasing it as "what objects are pointed to by the memberOf
attributes of X?", then just looking up X. That should be about as fast
as an index.
Samba AD does not do this rephrasing, probably because in the distant
past (a) it was not used at scale, (b) we didn't trust our backlinks,
and (c) we didn't think of it. We could/should do it now, but it will
take a bit of work.
2. People use MS AD differently.
My guess is that a lot of things that seem common in large Samba AD
deployments, like OpenLDAP integrations and so forth, are not that
common in MS-only organisations.
cheers,
Douglas
More information about the samba
mailing list