Ldap & slapd

Back in 2004 I was playing a lot with OpenLDAP. Getting it to run reliably turned out more challenging than I had originally planned for:

  1. BerkeleyDB performance was terrible if the proper tunings were not provided. Nowhere in the docs was mentioned that this was necessary. The way to do it was to drop a DB_CONFIG file in the top level directory of the database. Not a feature of openldap, rather a feature of BerkeleyDB.
  2. Not only performance would be terrible, but even the latest BerkeleyDB versions at the time had a bug (feature?) by which with the indexes used by openldap the database would deadlock if certain parts of the index did not fit in memory. I don't remember the details of the problem, it's been too long, but I do remember it was painful, and ended up submitting changes to the openldap package in debian to make sure this was mentioned in the documentation, and that a reasonable default would be provided.
  3. At the time, OpenLDAP supported two kind of backends: BDB, and HDB, both based on BerkeleyDB. The first, older, did not support operations like 'movedn', which had been standardized in the LDAP protocol for a while, and a few other features that HDB had. HDB though, was marked as experimental. During our use, we found several bugs.

I ended up writing a tool, ldap-torture, to stress test LDAP. You can find it here: https://github.com/ccontavalli/ldap-torture

It allowed us to find a few more bugs, and get them fixed. I hadn't used that tool until yesterday, when I decided to put it on github and try to get it running again. Let's see if I succeed :)

A quick tip if you are getting started with openldap on debian: READ THE DOCUMENTATION! Start from /usr/share/doc/slapd/, the README.Debian.gz is the first file you want to read, followed by README.DB_CONFIG.gz.


Other posts

Technology/Security