Re: [SOGo] disable auto-complete for certain external ldap address books
Hi all, I have made a lot of progress in this issue, and I thought I'd share on the list. Perhaps someone else can benefit from this as well. To (massively) speed-up (cache) queries to external ldap (in our case: AD) servers, we are now using openldap with the pcache overlay. This is on wheezy. First we installed slapd (openldap 2.4), and configured it to use the 'old-style' slapd.conf. Our config file can be seen below. Then we configured an extra SOGoUserSources, canAuthenticate = NO, and hostname = localhost. To verify: in the SOGo web access addressbook, the first time we search for 'username', it takes 5-7 seconds. A second time, the response is immediate. Huge improvement. If anyone here has some tips or comments on my slapd.conf, please reply! Some remaining things: * I would like to 'pre-load' the openldap/pcache with the complete AD contents, so all searches would be local searches. Does anyone know if that is possible? * I'm not sure how to configure expiration of items in the cache * I'm not sure if the indexes at the end are actually needed. The SOGo query (as far as I know) looks like the proxyTemplate below. Perhaps the indexes can be discarded. I'm sure there are many knowledgeable openldap people here, so please comment. :-) Here is the slapd.conf that works for us: include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema sizelimit unlimited pidfile /var/run/slapd/slapd.pid argsfile/var/run/slapd/slapd.args loglevel-1 modulepath /usr/lib/ldap moduleload back_bdb moduleload back_ldap moduleload pcache database ldap suffix dc=example,dc=com rootdn dc=example,dc=com urildap://ldap1.example.com:3268/dc=example%2cdc=com ldap://ldap2.example.com:3268/dc=example%2cdc=com; chase-referrals no overlay pcache pcache bdb 999 1 1000 100 pcacheAttrset 0 * + proxyTemplate (|(sn=)(displayName=)(telephoneNumber=)(mail=)(cn=)) 0 3600 cachesize 99 directory /var/lib/ldap index sn eq index displayName eq index telephoneNumber eq index mail eq index cn eq Regards, MJ -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] disable auto-complete for certain external ldap address books
Hi list, Rainer, Thanks for your openldap-pcache suggestion, I am working on that now, but I have run into an issue on the way. The way I currently understand things, is: For the queries to be cacheable with openldap/pcache, two things are required: 1) a proxyTemplate to match my incoming queries 2) a pcacheAttrset matching the requested attributes I have defined a proxyTemplate like: proxyTemplate (|(sn=)(displayName=)(telephoneNumber=)(mail=)(cn=)) 0 3600 (I think this matches the query SOGo sends to the AD) But the problem is with the pcacheAttrset: SOGo requests the attributes cn userprincipalname mail sn manager sAMAccountName, and my openldap 2.4 doesn't know all these fields, in particular: sAMAccountName userprincipalname They are not in any of the openldap 2.4 schema's (including the samba3.schema). Now...the very first question: I my understanding above correct? And if yes: is there a way to make SOGo NOT request sAMAccountName and userprincipalname? Or... is there way to my openldap aware of these two atributes, so it can cache them, and then have a cacheable query? Regards, MJ On 2/27/2015 13:23, Rainer Ruprechtsberger wrote: Hi, I don't have an active directory at hand to test this.. but it should be possible to create an openldap cache for your ad using the pcache overlay and ad as ldap database backend. Openldap should have no issue with 20k entries. /rupi -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] disable auto-complete for certain external ldap address books
Hi, I don't have an active directory at hand to test this.. but it should be possible to create an openldap cache for your ad using the pcache overlay and ad as ldap database backend. Openldap should have no issue with 20k entries. /rupi -- Rainer Ruprechtsberger Volkshilfe Oberösterreich IT 4020 Linz, Glimpfingerstrasse 48 Tel.: +43 732 3405 123 Mobil.: +43 676 8734 1123 ZVR Zahl: 064371505 Volkshilfe. Wir sind für die Menschen da. -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] disable auto-complete for certain external ldap address books
Here's some pretty good pages on how to speed up your AD server. http://www.frickelsoft.net/blog/?p=246 https://msdn.microsoft.com/en-us/library/ms808539.aspx http://blogs.technet.com/b/ad/archive/2008/04/01/how-to-create-a-mosiac-of-user-thumbnails-in-aduc-dsa-msc.aspx On 2/27/2015 3:39 AM, mourik jan heupink wrote: Hi Christian, If it is an address book in SOGo, then it is used for auto completion. It is easy to speed up an LDAP. Just give it more memory. We have our openLDAP servers set up, so that they run their complete database in memory (~18000 accounts). Ok, clear. However, the ldap is an external AD server, with *many* records. (I guess 20.000 or so) Looking up a single email address (over port 3268) works *instantly*, but the ldap query that is generated by SOGo webaccess takes 5 to 8 seconds to complete. Searching the archives here, I guess the actual query will look something like ldapsearch -x -LLL -P 3 -h a.b.c.d:3268 -D CN=login,DC=Company,DC=COM -W -b DC=company,DC=com -s sub (|(sn=heupink*)(displayName=heupink*)(telephoneNumber=heupink*)(mail=heupink*)(cn=heupink*)) cn userprincipalname mail sn manager sAMAccountName And testing this on cli, confirms that this takes 5 to 8 seconds to complete. This takes too log to be practical. Then perhaps... is there a way to *adjust* the outgoing query for this particular ldap usersource to make it quicker? Or... do you guys here have some tips (adding some indexes perhaps?) that I could request to the admins on the external AD side, to make our SOGo query complete faster? Thanks! -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] disable auto-complete for certain external ldap address books
Hi Christian, If it is an address book in SOGo, then it is used for auto completion. It is easy to speed up an LDAP. Just give it more memory. We have our openLDAP servers set up, so that they run their complete database in memory (~18000 accounts). Ok, clear. However, the ldap is an external AD server, with *many* records. (I guess 20.000 or so) Looking up a single email address (over port 3268) works *instantly*, but the ldap query that is generated by SOGo webaccess takes 5 to 8 seconds to complete. Searching the archives here, I guess the actual query will look something like ldapsearch -x -LLL -P 3 -h a.b.c.d:3268 -D CN=login,DC=Company,DC=COM -W -b DC=company,DC=com -s sub (|(sn=heupink*)(displayName=heupink*)(telephoneNumber=heupink*)(mail=heupink*)(cn=heupink*)) cn userprincipalname mail sn manager sAMAccountName And testing this on cli, confirms that this takes 5 to 8 seconds to complete. This takes too log to be practical. Then perhaps... is there a way to *adjust* the outgoing query for this particular ldap usersource to make it quicker? Or... do you guys here have some tips (adding some indexes perhaps?) that I could request to the admins on the external AD side, to make our SOGo query complete faster? Thanks! -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] disable auto-complete for certain external ldap address books
Hello Am 2015-02-26 um 10:38 schrieb mourik jan heupink: We have defined a few external ldap directories as addresslists in the SOGo web access. They are all used for autocompletion right now. One particular ldap directory responds very slow, and is *very* big. Is it possible to exclude that one from the auto-complete, and only allow it to be searched from the 'addressbook' tab? No. If it is an address book in SOGo, then it is used for auto completion. It is easy to speed up an LDAP. Just give it more memory. We have our openLDAP servers set up, so that they run their complete database in memory (~18000 accounts). Kind regards, Christian Mack -- Christian Mack Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung Basisdienste 78457 Konstanz +49 7531 88-4416 smime.p7s Description: S/MIME Cryptographic Signature
