[CALUG] Slapd starts up slowly

Bryan J Smith b.j.smith at ieee.org
Mon Feb 28 08:44:34 EST 2011 

Couple of things ...

A)  /etc/ldap.conf is not OpenLDAP.  It's the Red Hat LDAP/NSS system[1], and 
base OS client setup.  /etc/openldap/ldap.conf is for OpenLDAP clients.  It's 
not the OpenLDAP server configuration.  However, it is still used for the base 
OS' authentication and object lookup, and Red Hat also still provides the 
OpenLDAP clients as well (so both /etc/ldap.conf and /etc/openldap/ldap.conf 
should be configured).

B)  If your /etc/ldap.conf changed, then what was updated?  How was it updated?  
Is it still 644 permissions?  If SELinux is enforcing, are the contexts 
correct?  Use "ls -Zail" to see them, or just "restorecon /etc/ldap.conf" to 
restore them.

C)  Even if your DB is small, the schema can take a bit to load.  OpenLDAP often 
has to chug through various schema files.  If permissions or SELinux contexts 
have changed on those files, then there might be issues, timeouts and other 
things that are causing the delays.

D)  What is in /var/log/openldap.log?  Messages often won't show OpenLDAP 
details, other than the service being stopped/started, or critical/emergency 
messages (maybe warnings) during such.  The openldap.log file will likely show 
lower facility messages as well.  Compare to when it worked.

NOTES:

[1] Netscape Security Services.  Red Hat purchased the iPlanet software 
(directory server, certificate server, various client components, etc...) many 
years ago.  iPlanet is the original, commercial LDAP product much like Navigator 
was the original web browser, Netscape hired away the original Michigan LDAP 
developers just like they did the original Illinois Mosaic developers.  The 
product then blossomed into the iPlanet line much like the browser did the 
Communicator line.  Red Hat released it as open source (GPL and MPL where 
required) in, now, Port 389 server ( http://directory.fedoraproject.org/ ) and a 
sister project that is AD-like (in NTuser object schema, required used of 
Kerberos, etc...) in FreeIPA ( http://www.freeipa.org ).

-- Bryan

P.S.  What about "EL6" (e.g., rebuilds like CentOS 6, when it is released)?  It 
is based on a late Fedora release, unlike "EL5" (which is based on old Fedora 
Core 6).  It should have the required Ruby on Rails version, especially if it 
works on Fedora 12 (which "EL6" is largely based on, with some Fedora 13 
additives).
 


----- Original Message ----
From: Joe Tseng <joe_tseng at hotmail.com>
To: Bryan J Smith <b.j.smith at ieee.org>; calug at unknownlamer.org

Amahi for F14 will be released sometime this week; I am definitely planning
on doing that upgrade.  They said they did not consider releasing for CentOS
5.x due to their platform dependencies for Ruby on Rails.

As for the size of my database/schema it shouldn't be very large as it
currently is me, the wife and son and three workstation nodes.  What I don't
understand is it JUST started behaving like this, and I haven't really added
anything new to LDAP once it was up and running.

I also noticed I had to redo my /etc/ldap.conf; it was replaced by some
default file.  Although I restored to what it was previously it made no
difference in speed.

More information about the CALUG mailing list