My recent favorite was a rather "popular" software vendor told me I needed to increase my maxIdleConnectionTime for the Directory higher than 900s (15 mins)because their connection was timing out while processing the first page of 1000 users, and having the connection dropped before they went back for the next. I basically told them if they can't process 1000 users in less than 15 minutes, then they surely could not handle my entire user population which they were trying to loop through. I think we calculated we would have to increase that time to to over 32 hours so their crapplication could complete. :)
I'll let you guess what did not happen in that situation. :)
Jef
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] stupid ldap queries
Date: Thu, 20 Apr 2006 09:07:09 -0400
Oh I love those! The app dev folks (or vendor) tell you that your AD is broken because it is so slow... Yep I have been there.Indexing is fine, just index things you regularly query on, no reason to suck up resources and perf for indexes that aren't used. For instance, indexing all attributes doesn't make sense but if you have a crit app or a bunch of apps using a query with no indexed attributes or having a specific attribute that could seriously help perf it is good to add.Wook, I think, is being a trifle facetious and plugging his creative work. :)Schema updates are goodness when done correctly and smartly. There is no reason to be scared of doing them, just be scared of doing them wrong. <g>
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, April 19, 2006 10:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] stupid ldap queriesIt’s only been that one. Okay, maybe one other that was indexed, but that was because a very large network/voip vendor that required a schema extension subsequently used one of these attributes in all of their queries. In a large implementation (which they clearly had never seen) the query would take a year to complete. Of course, in their lab with 5 objects, it completed in milliseconds.
:m:dsm:cci:mvp | marcusoh.blogspot.com
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Wednesday, April 19, 2006 11:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] stupid ldap queries
Adding indices will start you down the slippery slope that ultimately leads to custom schema extensions. Do you like new OIDs? J
Wook
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, April 19, 2006 4:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] stupid ldap queries
Exactly, you can tell you AD to do it efficiently versus trying to train everyone who writes a query that goes against AD. I mean you want to try and train everyone because there are other bad things they can do that you can't easily handle but this is a nice quick easy thing to do to help.
I HIGHLY HIGHLY HIGHLY recommend folks use adfind or ldp to test their queries and have the STATS output generated and displayed when they are doing dev work to figure out how good their queries are, in adfind, look at the -STATS* set of switches. Seriously, they are very cool. You will learn a lot about how the queries are working whether you intend to or not.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, April 19, 2006 12:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] stupid ldap queriesIt’d the same relative gain running a query using objectcategory versus objectclass. Most of the time, I would run into queries that people were using, utilizing objectclass instead of objectcategory. Indexing objectclass made this moot.
:m:dsm:cci:mvp | marcusoh.blogspot.com
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Tuesday, April 18, 2006 5:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] stupid ldap queries
It seems like an obvious idea to implement. Sad we never thought about it. :)
Has anyone done any tests to reveal what performance gains this yields on queries?
Thanks,
Jef
Subject: RE: [ActiveDir] stupid ldap queries
Date: Tue, 18 Apr 2006 17:03:35 -0400
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.orgI did the same after I saw some of the activedir folks post about doing it… J
:m:dsm:cci:mvp | marcusoh.blogspot.com
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Tuesday, April 18, 2006 4:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] stupid ldap queries
I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we got the go ahead from Microsoft that it was supported. That was years ago.
Wook
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] stupid ldap queries
No. isMemberOfPartialAttributeSet just means that the attribute is replicated into the GC. Being in the GC does not imply that the attribute is indexed. There’s an attribute (I think “isIndexed”) which says the attribute should be indexed in the database.
Thanks,
Brian Desmond
c - 312.731.3132
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe
Sent: Tuesday, April 18, 2006 2:15 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] stupid ldap queries
bummer! I meant adfind -schema -f "&(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)" ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe <[EMAIL PROTECTED]> wrote:
sorry that was meant to be adfind -schema -f "&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe <[EMAIL PROTECTED]> wrote:
Thanks for the reply. In that case why does
adfind -schema -f "&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list
returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b.
Thanks
M@
On 4/18/06, Brian Desmond < [EMAIL PROTECTED]> wrote:
> Not sure I understand the question fully, but, no objectClass is not
> indexed. objectCategory is. So if you want to get all users you do:
>
> (&(objectCategory=person)(objectClass=user))
>
> Thanks,
> Brian Desmond
> [EMAIL PROTECTED]
>
> c - 312.731.3132
>
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe
> > Sent: Tuesday, April 18, 2006 1:00 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] stupid ldap queries
> >
> > All
> >
> > Could someone please explain how Non-indexed queries (e.g.
> > "objectClass=user") fall in this category? I saw this mentioned in
> some
> > slides by Gil and couldnt quite understand what he meant. Isn't
> > objectclass indexed as part of the partial attribute set?
> >
> > Thanks
> >
> > M@
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-
> > archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
