One of the changes my beta testers are testing is switching from NIS to LDAP for login/auth/homedir lookups; all is working perfectly, Dovecot + PAM/nss_ldap is A-OK. No issues here, we've been using LDAP lookups on other servers for years. I'm wondering about load, specifically if when I switch the entire company over, will the new authentication load stress my LDAP server to the point of breaking. A) Does anyone here have some numbers or experience in this switch that could lend some real-world advice? We're talking maybe... 50 people with large (numerically, not gig-age) mailboxes, and ThunderBird seems to open 4-5 connections per client based on the logs. B) Would anyone advise that I run a slapd slave directly on the main Dovecot server to alleviate load? Is this overkill and I shouldn't worry about it? Mainly what has me concerned is that on the Dovecot machine, I'm getting a number of entries in the messages that look like: dovecot-auth: nss_ldap: reconnecting to LDAP server... dovecot-auth: nss_ldap: reconnected to LDAP server after 1 attempt(s) No failures ever, it all just works. But still this tickles my brain that maybe it'll need more robustness come production time. Thanks for your feedback, -te -- Troy Engel | Systems Engineer Fluid Inc. | http://www.fluid.com
Hello, On Sat, Feb 17, 2007 at 08:51:00AM -0800, Troy Engel wrote: [...]> Mainly what has me concerned is that on the Dovecot machine, I'm getting > a number of entries in the messages that look like: > > dovecot-auth: nss_ldap: reconnecting to LDAP server... > dovecot-auth: nss_ldap: reconnected to LDAP server after 1 attempt(s) > > No failures ever, it all just works. But still this tickles my brain > that maybe it'll need more robustness come production time.By the way LDAP auth: We have serious problem with LDAP auth in Dovecot before rc18 or such: though it turned out it sould be an OpenLDAP problem instead (but we can't change the server). I've got an own stretch test, which does quite large amount of POP3 sessions in paralell: before rc18 only after some seconds, some fault was occured and dovecot auth starts blocking further requests. I've tested rc22 some days ago: I can't detect a single failure anymore :) -- - G?bor
On 2/17/07, Troy Engel <tengel at fluid.com> wrote:> One of the changes my beta testers are testing is switching from NIS to > LDAP for login/auth/homedir lookups; all is working perfectly, Dovecot + > PAM/nss_ldap is A-OK. No issues here, we've been using LDAP lookups on > other servers for years. > > I'm wondering about load, specifically if when I switch the entire > company over, will the new authentication load stress my LDAP server to > the point of breaking.I run ~1100 mailboxes using Dovecot/Postfix with LDAP for all lookups. The LDAP server(s) don't even begin to sweat. LDAP is highly optimized for many, many reads/second and is used as the directory service for sites much larger than ours. -Ben