timeout in LDAP access

Denis Excoffier cygwin@Denis-Excoffier.org
Mon Jun 23 20:38:00 GMT 2014


On 2014-06-23 11:09, Corinna Vinschen wrote:
> On Jun 19 19:53, Denis Excoffier wrote:
> 
> Do you really *want* to enumerate 500K users when accessing the DCs
> remote over a slow DSL line?  Isn't this a situation in which you'd
> rather like to avoid enumerating accounts or restrict it to an
> essential subset?  That's what db_enum would be good for.
IMHO the line is not especially slow. Instead, the
server (and occasionally the client) is clobbered sometimes. For example it
seems more difficult (ie timeout occurs more frequently) for a server
to output the last sid’s in a domain than to output a full PageSize of
results.

Personally i don’t *want* to use /etc/nsswitch.conf at all. What bothers me
is that the user does not get any indication of a timeout (and several successive
and unrelated timeouts may be met in a single invocation of getent). Therefore
even if all servers are up, the user has no means to know that the list is exhaustive.
If the timeout occurs for the last chunk this is not so important, but if 
the timeout occurs in the middle it may be. That is the difference between
a large timeout and a timeout, say, too accurate.


> I'm rather inclined to revert the timeout for single account access to a
> smaller value again (5 or 10 secs) and introduce a second, longer
> timeout value for enumeration (60 secs, for instance).
This is fine. I suppose timeout will rarely occur when a single result is
expected (and the server is up). I tried ‘getent passwd sid’ a couple of
times and the result has always been instantaneous.
> 
> I've applied a patch to ldap.cc to this effect.  Would you mind to give
> it a try?
60s is okay. Today i got several timeouts while enumerating passwd with
a timeout of 60s. Last Friday, all my tests with timeout >= 45s produced
no timeout. Perhaps the servers are less used when the week-end is not too
far...
> 
>> The PageSize
>> (100) could also be changed?
> 
> Yes, the pagesize can be changed, too.  I'm just not sure about the
> consequences.  In my pretty small AD environment 100 seemed to be a
> good compromise in terms of performance and size (as I mentioned, just
> 4 KB per page).  Less than 100 slowed down getent noticably, more than
> 100 didn't provide a visible speedup.
> 
> Can you test in your big environment in how far raising this value
> changes the performance and the chance for timeout?  Since the load is
> on the server, it should be pretty fast in collecting the next X SIDs.
> I'm just a bit concerned about the (unnecessary?) network traffic this
> might generate.
I tried pagesize=50,200,400, with, as you said, no notable difference.
With 400, i can suppose it is a little faster (10% less than usually) and
a little longer with 50. 1 or 2 timeouts always (i also tried with
timeout=120s). No big difference really.
> 
>> Here two remarks about timeouts:
>> 1) for most of the 100-sid chunks, the high timeout is not used, therefore
>> the global penalty in delay is not so high. And perhaps a 120s timeout is high
>> enough so that when it is met, we could abandon not only the current domain,
>> but also the whole search?
> 
> Would that be really a bright idea?  Assuming your ADs (and their DCs)
> are in different remote locations,  One of those connections being down
> would disable enumerating other domains.
It would be a means to have getent 'depend' on a unique timeout.
> 
>> 2) if value of timeout is not high enough (i have no figures…), timeout may
>> occur when the PC is in fact occupied with other tasks (eg antivirus scanning
>> or something else), unrelated to network delays or server latencies.
> 
> No timeout is prepared for a CPU being 100% in use :|
My experience is that if antivirus considers that some job has to be
done urgently, everything else freezes. I have to cope with that.


Well. My (current) opinion is:
* def_tv=5, enum_tv=60 or 120
* pagesize=100 is fine
* perhaps getent could be augmented to enumerate domains (getent domain) and
also to enumerate sids in a given domain? That way, the timeout, when it occurs, is
for a single domain. And this would perhaps be more useful than the full
‘getent passwd’ for a large database.

Thank you Corinna for your time with this.

Denis Excoffier.
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list