mail us  |  mail this page

products  |  company  |  support  |  training  |  contact us

ZYTRAX OPEN LOGO

Chapter 6 OpenLDAP slapd.conf database bdb and hdb

This section deals with bdb (and hdb) database specific directives. Generic database directives are here. The Berkeley DataBase (BDB or HDB) (now owned by Oracle)is the preferred and recommended back-end for OpenLDAP but requires very careful configuration if the application demands high performance. The parameters defined here form only part of the performance definition - others may be contained in the DB_CONFIG file (see also Performance).

Warning: The BDB transaction log file (log.xxxxxxxxxxxx in the LDAP directory) can become very big, very quickly and requires regular maintenance - see BDB Chapter 12 Section 17 for maintenance procedures.

A number of the parameters in this section of the slapd.conf file are passed through to BDB. These parameters may be removed from the slapd.conf file by using a DB_CONFIG file with the corresponding directive. It appears that increasingly the OpenLDAP advice is to use DB_CONFIG in preference to the slapd.conf equivalents. Where this is possible it is noted in each directive.

Contents

cachesize
checkpoint
dbnosync
directory
dirtyread
index
lockdetect
mode
searchstack
DB_CONFIG sample file
Sample database bdb fragments

cachesize

Format:

cachesize integer

The cachesize directive defines the number of entries that the LDAP backend will maintain in memory. Do not confuse this directive with the BDB set_cachesize directive - they control different behaviours.

For maximum performance this figure should be as high as practical or as close as practical to the number of records maintained in the directory. The default is 1000. Examples:

cachesize 10000
# LDAP maintains 10,000 entries in memory 

See also Performance chapter.

Up Arrow

checkpoint

Format:

checkpoint kbyte min

The checkpoint directive defines the time between checkpoint operations in BDB (the database can only be recovered from the last checkpoint).

The frequency of checkpointing determines the time during which data may be unrecoverable by BDB in the event of a system failure. If NOT using the dbnosync this time could be set to a reasonably long period, say, 10 mins or more, if the dbnosync directive is being used 5 - 15 mins or less if practical. kbytes is the number of kilobytes written to the directory and min is the time in minutes. Whichever occurs first determines the period between checkpoints.

OpenLDAP default is NO CHECKPOINTING - you should always supply a checkpoint directive. See the BDB Chapter 12 Section 15 documentation for more information. This directive may be replaced by using DB_CONFIG file with the txn_checkpoint directive. Examples:

checkpoint 128 15
# check point whenever 128k data bytes written or 
# 15 minutes has elapsed whichever occurs first

Up Arrow

dbnosync

Format:

dbnosync

The dbnosync directive specifies that the database does NOT need to be updated immediately with any in-memory records. This option will increase performance on writes but has the disadvantage that if there is a system failure before the disk and memory are re-synchronised then data may be lost. The memory and disk are re-synchronised using the checkpoint directive. The default (no parameter present) is that disk updates are done immediately. Examples:

dbnosync
# updates are allowed to remain pending 

This option is the same as the BDB set_flag option DB_TXN_NOSYNC - see Performance chapter.

Up Arrow

directory

Format:

directory /path/to/directory

The directory directive defines the location of the BDB database files. By convention these files are placed /var/db/openldap-data (BSD) or /var/lib/ldap (FC/Linux) but they can be placed anywhere convenient. The directory MUST exist before OpenLDAP is started for the first time.

If you do not define this entry then OpenLDAP will default to a directory name of /var/db/openldap-data (BSD) or /var/lib/ldap (FC). If you specify a relative directory name (without a leading '/') BDB will prepend its DB_HOME environmental variable - which could be anywhere in the known universe.

While defaults are available the OpenLDAP documentation suggests (but does not enforce) that a directory directive is MANDATORY. If for no other reason than to save time trying to figure out where files are located you should always include this directive.

If you are going to maintain or have plans to create a multi-DIT (needs multiple database sections) directory it is sensible to create a sensible subdirectory naming scheme for these database files. Examples:

directory /var/ldap/example-com
# the directory example-com must exist 
# directory permissions for read and write for ldap user

directory example-com
# the value of DB_HOME (for BDB) will be prepended
# to create /user/local/share/openldap/example-com (BSD)

Up Arrow

dirtyread

Format:

dirtyread

The dirtyread directive allows OpenLDAP to return in-memory data that may not yet have been written to disc. If the subsequent write operation fails this data will be discarded. The user may have received a result that incorrectly reflects the final state of the directory.

Specifying this option may speed up directory performance at the risk of some inconsistency. The default (parameter not present) is not to return in-memory data that has not yet been written to disc. Examples:

dirtyread
# user MAY receive a result that is inconsistent
# with the final state of the directory

Up Arrow

olcDbIndex (index)

The index directive of slapd.conf is only effective on initial load of the directory (using ldapadd). If indexes are subsequently changed the directory needs to be re-indexed using slapindex (caution: must stop slapd first).

In OLC (cn=config) the attribute used is olcDbIndex which can only appear in an olcDatabase={Z}xxx,cn=config entry. Additionally re-indexing is done in real time so any change to an attribute immediately triggers and indexing change (slapindex is not required). However, it is not clear using OLC (cn=config) when re-indexing is completed - there is no visible sign to indicate completion.

Format:

# OLC (cn=config) form
olcDbIndex: attrlist | default indices

# slapd.conf form
index attrlist | default indices

# indices = [pres [,approx] [,eq] [,sub] [,special]]

The olcDbIndex/index attribute/directive defines what indexes will be maintained by OpenLDAP. Any number of index parameters may be included. If an attribute does not appear in an index directive it can still be used in a search filter - but if it occurs frequently it will hurt performance - once in a lifetime is not too bad!

attrlist may be either a single attribute or a comma separated list.

The optional parameter default stores the supplied indices and uses them on any subsequent index parameter that does does not have an indices entry. The default value must be defined before any olcDbIndex/index which does not have a indices value. A subsequent default will be used for index parameters following the new default.

pres should be used if use searches of the form 'objectclass=person' or 'attribute=mail' will be used.

approx MUST be used if use searches of the form 'sn~=person' (a 'sounds-like' search) will be used.

eq should be used if searches of the form 'sn=smith' will be used i.e no wildcards are included (uses the EQUALITY rule only).

sub should be used if use searches of the form 'sn=sm*' i.e wildcards are included (uses the SUBSTR rule). This rule may be enhanced by a using subinitial (optimised for 'sn=*s'), subany (optimised for 'sn=*n*') or subfinal (optimised for 'sn=th*'). One or more sub parameters may be included.

special may be either nolang or nosubtypes which are related to subtypes.

Careful attention to what indexes are maintained based on the application requirements will significantly affect directory read performance - conversely there is no point in indexing an attribute if no searches ever access it. If all the searches use EQUALITY rules only then there is no point in indexing for sub. Indexes (indeces) consume memory (more indexes = more memory) and write or modify operations will take longer due to index updates.

Examples:

# simple use of the default value
# OLC (cn=config) form
olcDbIndex: default pres,eq
olcDbIndex: cn,sn,uid

# slapd.conf form
index default pres,eq
index cn,sn,uid

# defines presence and equality indexes for 
# attributes cn, sn and uid
# exactly the same as the three index directives below
index cn pres,eq
index sn pres,eq
index uid pres,eq

index cn eq,sub,subinitial
# creates indexes for attribute cn (commonname)
# EQUALITY, SUBSTR searches and further optimises
# for sc=a* type searches

index sn eq,approx,sub
# creates indexes for sn (surname) on
# EQUALITY and SUBSTR searches
# NOTE: The approx index is a waste of time because
#       there is no ORDERING rule for sn approx is present
#       only to illustrate the parameter exists

index mail pres,eq,sub
# creates indexes for attribute mail on
# presence, EQUALITY and SUBSTR

index objectclass eq
# optimises searches of form objectclass=person

See also Performance chapter for a further review of performance.

lockdetect

Deprecated in favour of the DB_CONFIG file set_lk_detect parameter.

Up Arrow

mode

Format:

mode mask

The mode directive defines file permissions used when the BDB database files are initially created. The default is 0600 (ldap user only - read and write permission - no others). Examples:

mode 0660
# ldap user - read and write
# ldap group - read and write
# others - no access 

Up Arrow

searchstack

Format:

searchstack depth

The searchstack directive defines the depth of the stack used for search filter evaluation. Search filters are evaluated on a stack to accommodate nested AND / OR clauses. An individual stack is assigned to each server thread. The depth of the stack determines how complex a filter can be evaluated without requiring additional memory allocation.

Filters that are nested deeper than the search stack depth will cause a separate stack to be allocated for that particular search operation. If the number of nested conditions exceeds the value defined (or the default) significant performance penalties will be incurred.

Each search stack uses 512K bytes per nesting level. The default stack depth is 16, thus 8MB per thread is used. Examples:

searchstack 5
# allows up to 5 nested search statements

Up Arrow

DB_CONFIG Sample File

Wherer to use a DB_CONFIG file is simple - if you care about performance use it. If you don't care - forget it. BUT if you elect not to use a DB_CONFIG you MUST use a checkpoint directive. Increasingly the OpenLDAP advice seems to be to use DB_CONFIG rather that pass parameters through via slapd.conf.

The DB_CONFIG file is located as defined in the directory directive. The directives used in this file are fully, if not clearly, explained in the BDB Manual. You can replace the checkpoint, lockdetect, dbnosync directives with the equivalent directives in the DB_CONFIG file as well as add additional tuning directives as required.

Example DB_CONFIG file:

# replaces lockdetect directive
set_lk_detect DB_LOCK_EXPIRE
# OR set lk_detect DB_LOCK_DEFAULT

# uncomment if dbnosync required
# set_flags DB_TXN_NOSYNC
# multiple set_flags directives allowed

# sets max log size = 5M (BDB default=10M)
set_lg_max 5242880

set_cachesize 0 5242880 1
# sets a database cache of 5M and 
# allows fragmentation
# does NOT replace slapd.conf cachesize 
# this is a database parameter

txn_checkpoint 128 15 0
# replaces checkpoint in slap.conf
# writes checkpoint if 128K written or every 15 mins
# 0 = no writes - no update 

Note:

  1. If you have a multiple DITs (multiple database sections in slapd.conf) a DB_CONFIG file is required for each directory containing a database.
  2. To check some performance stats of the database use:
    cd /to/bdb/directory
    db_stats -m
    
    # OR on BSD
    
    db4_stat -m
    
  3. It is not clear from the documentation what happens if you have conflicting parameters in slapd.conf and DB_CONFIG. In general - DON'T! i.e if you have a checkpoint directive in slapd.conf and a txn_checkpoint directive in DB_CONFIG - remove one or the other.

Up Arrow

Sample database bdb fragments

The following database specific fragments are shown to illustrate configuration of a DBD database. The performance is not optimised.

Example 1 - no DB_CONFIG file:

database bdb
...
# database specific fragment only
# order not important
cachesize 10000
checkpoint 128 15
directory /var/ldap/first-dit
dbnosync
dirtyread
index mail pres,eq
index objectclass pres
index default eq,sub
index sn eq,sub,subinitial
index telephonenumber
index cn
searchstack 5

The same configuration with a DB_CONFIG file:

slapd.conf fragment:

database bdb
...
# database specific fragment only
# order not important
cachesize 10000
directory /var/ldap/first-dit
dirtyread
index mail pres,eq
index objectclass pres
index default eq,sub
index sn eq,sub,subinitial
index telephonenumber
index cn
searchstack 5

DB_CONFIG file:

The DB_CONFIG file is located as defined in the directory directive. The directives for this file are fully, if not clearly, explained in the BDB Manual. You can replace the checkpoint, lockdetect, dbnosync directives with the equivalent directives in the DB_CONFIG file as well as add additional tuning directives.

set lk_detect DB_LOCK_DEFAULT
set_flags DB_TXN_NOSYNC
set_lg_max 5242880
set_cachesize 0 5242880 1
txn_checkpoint 128 15 0

Up Arrow

Copyright © 1994 - 2014 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
Hosted by super.net.sg
web-master at zytrax
Page modified: September 16 2013.

Contents

tech info
guides home
intro
contents
1 objectives
big picture
2 concepts
3 ldap objects
quickstart
4 install ldap
5 samples
6 configuration
7 replica & refer
reference
8 ldif
9 protocol
10 ldap api
operations
11 howtos
12 trouble
13 performance
14 ldap tools
security
15 security
appendices
notes & info
ldap resources
rfc's & x.500
glossary
ldap objects
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox

web zytrax.com

Share Page

share page via facebook tweet this page submit page to stumbleupon submit page to reddit.com

Page Features

Page comment feature Send to a friend feature print this page Decrease font size Increase font size

RSS Feed Icon RSS Feed

Resources

Systems

FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux.org
Debian Linux

Applications

LibreOffice
OpenOffice
Mozilla
SourceForge
GNU-Free SW Foundation

Organisations

Open Source Initiative
Creative Commons

Misc.

Ibiblio - Library
Open Book Project
Open Directory
Wikipedia

SPF Resources

Draft RFC
SPF Web Site
SPF Testing
SPF Testing (member only)

Display full width page Full width page

Print this page Print this page

SPF Record Conformant Domain Logo