Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:2.1:performances [2019/09/16 16:05]
arosier
documentation:2.1:performances [2020/05/10 11:43] (current)
maxbes [LDAP performances]
Line 1: Line 1:
 ====== Performances ====== ====== Performances ======
  
-LemonLDAP::​NG is designed ​to be very performant. Indeed, it uses Apache2 threads capabilities. So to increase performances,​ prefer using [[http://httpd.apache.org/docs/2.2/misc/perf-tuning.html#​compiletime|mpm-worker]].+LemonLDAP::​NG is designed ​for high performance,​ both in throughput and response time. Indeed, it can use Apache2 threads capabilities ​**but** since Apache version 2.4, mpm_worker seems to break mod_perl. So to increase performances,​ prefer using Nginx. 
 + 
 +===== Built-in ===== 
 +==== Cache system ==== 
 + 
 +LLNG uses different cache systems to avoid querying to many the databases: 
 + 
 +^                 ​^ ​          ​Lifetime in memory ​            ​^^ ​     Lifetime in Local-Cache (file) ​        ​^^ ​ DB  ^ 
 +^                 ​^ ​         Parameter ​        ​^ ​  ​Default ​   ^        Parameter ​           ^    Default ​    ​^ ​     ^ 
 +^  Configuration ​ |     ''​checkTime'' ​         |  1 second ​   |                     ​| ​ Until "​reload"​ order  |  ✔   | 
 +^     ​Session ​    ​| ​ ''​handlerInternalCache'' ​ |  15 seconds ​ |  ''​default_expires_in''​(*) ​ |   10 minutes ​  ​| ​ ✔   | 
 + 
 +//(*): Manager >> General parameters >> Sessions >> Sessions storage >> Cache module options// 
 + 
 +<​note>​ 
 +Configuration and sessions are first looked up in-memory, then in the cache file, and then in their backing storeThis means that after a configuration reload ​//(using Manager)//, you have to wait for ''​checkTime''​ before you can see your changes, or wait for configuration cache expiration in ''​checkTime''​ is disabled. 
 +</​note>​
  
 ===== Global performance ===== ===== Global performance =====
Line 9: Line 25:
 To bypass this, you can: To bypass this, you can:
   * Use IP in configuration to avoid DNS resolution   * Use IP in configuration to avoid DNS resolution
-  * Install a DNS cache  like nscd, netmask ​or bind+  * Install a DNS cache  like nscd, dnsmasq ​or unbound
  
 ==== Cron optimization (or systemd timers) ==== ==== Cron optimization (or systemd timers) ====
Line 16: Line 32:
   * purgeCentralCache:​ only 1 time every 10 minutes for the whole system (or more)   * purgeCentralCache:​ only 1 time every 10 minutes for the whole system (or more)
   * purgeLocalCache:​ ~ 1 time per hour on each server   * purgeLocalCache:​ ~ 1 time per hour on each server
 +
 ===== Handler performance ===== ===== Handler performance =====
  
Line 23: Line 40:
  
 Handlers check rights and calculate headers for each HTTP hit. So to improve performances,​ avoid too complex rules by using macros, groups or local macros. Handlers check rights and calculate headers for each HTTP hit. So to improve performances,​ avoid too complex rules by using macros, groups or local macros.
 +
 ==== Macros and groups ==== ==== Macros and groups ====
  
Line 28: Line 46:
   * macros are used to extend (or rewrite) [[exportedvars|exported variables]]. A macro is stored as attributes: it can contain boolean results or any string   * macros are used to extend (or rewrite) [[exportedvars|exported variables]]. A macro is stored as attributes: it can contain boolean results or any string
   * macros can also be used to import environment variables //(these variables are in CGI format)//. Example: ''​$ENV{HTTP_COOKIE}''​   * macros can also be used to import environment variables //(these variables are in CGI format)//. Example: ''​$ENV{HTTP_COOKIE}''​
-  ​* groups are stored as space-separated strings in the special attribute "​groups":​ it contains the names of groups whose rules were returned true for the current user +  * You can check for group membership of particular user with the ''​inGroup'' ​functionsee examples below. 
-  ​* You can also get groups in ''​$hGroups''​ which is Hash Reference of this form: +  * If you need more advanced processing of the group list (filteringrewriting) you may use ''​$groups'', ​a flat list of all the user's groups, separated by ''​'' ​(default values separator). Or the ''​$hGroups'' ​variable which is a perl hash whose keys are the group names.
-<code perl> +
-$hGroups = { +
-          ​'group3' ​=> { +
-                        '​description'​ => [ +
-                                           'Service 3', +
-                                           '​Service 3 TEST'​ +
-                                         ], +
-                        ​'cn' ​=> [ +
-                                  ​'group3' +
-                                ], +
-                        ​'name' ​=> 'group3' +
-                      }, +
-          ​'admin' ​=> { +
-                       'name' ​=> 'admin'​ +
-                     } +
-        } +
-</​code>​+
  
 Example for macros: Example for macros:
Line 61: Line 62:
 </​code>​ </​code>​
  
-Example for groups:+Defining a group
 <code perl> <code perl>
 # group # group
 admin -> $uid eq '​foo'​ or $uid eq '​bar'​ admin -> $uid eq '​foo'​ or $uid eq '​bar'​
 +</​code>​
  
-# Use a group in rule +Using a group in an access ​rule 
-^/admin -> $groups =~ /\badmin\b/+<​code>​ 
 +# Using the inGroup macro: 
 +^/admin -> inGroup("​timelords"​)
  
 # Or with hGroups # Or with hGroups
Line 108: Line 112:
 ==== Apache::​Session performances ==== ==== Apache::​Session performances ====
  
-Lemonldap::​NG handlers use a local cache to store sessions (for 10 minutes). So Apache::​Session module is not a problem for handlers. ​It can be a brake for the portal:+Lemonldap::​NG handlers use a local cache to store sessions (for 10 minutes). So Apache::​Session module is not a problem for handlers. ​But it can be a bottleneck ​for the portal:
   - When you use the multiple sessions restriction parameters, sessions are parsed for each authentication unless you use an [[https://​metacpan.org/​module/​Apache::​Session::​Browseable|Apache::​Session::​Browseable]] module.   - When you use the multiple sessions restriction parameters, sessions are parsed for each authentication unless you use an [[https://​metacpan.org/​module/​Apache::​Session::​Browseable|Apache::​Session::​Browseable]] module.
   - Since MySQL does not have always transaction feature, Apache::​Session::​MySQL has been designed to use MySQL locks. Since MySQL performances are very bad using this, if you want to store sessions in a MySQL database, prefer one of the following   - Since MySQL does not have always transaction feature, Apache::​Session::​MySQL has been designed to use MySQL locks. Since MySQL performances are very bad using this, if you want to store sessions in a MySQL database, prefer one of the following
Line 191: Line 195:
 <note important>​Don'​t forget to create an index on the field used to find users (uid by default)</​note>​ <note important>​Don'​t forget to create an index on the field used to find users (uid by default)</​note>​
  
-<note tip>To avoid having ​group dn stored ​in sessions datas, you can use a macro to rewrite memberOf: +<note tip>To avoid storing the full group DNs in session data, you can use a macro to rewrite ​''​memberOf''​:
-  * Exported variables +
-<​code>​ +
-ldapgroups -> memberOf +
-</​code>​ +
-For now, ldapgroups contains "​cn=admin,​dmdName=groups,​dc=example,​dc=com cn=su,​dmdName=groups,​dc=example,​dc=com"​+
  
-  * A little ​macro: +  * In *Exported variables*, export the ''​memberOf''​ LDAP attribute as a ''​ldapGroups''​ session variable 
-<code perl> +    * key: ''​ldapGroups''​ 
-ldapgroups -> join(" ",($ldapgroups ​=~ /​cn=(.*?​),/​g))+    * value: ''​memberOf''​ 
 + 
 +  * Next, add a ''​ldapGroups'' ​macro that will overwrite the exported attribute 
 +    * key: ''​ldapGroups''​ 
 +    * value:  
 +<code="perl"
 +join("",($ldapGroups ​=~ /​cn=(.*?​),/​g))
 </​code>​ </​code>​
-Now ldapgroups contains "admin su"+ 
 +''​ldapGroups''​ should now contain something like ''​adminsu''​ just like it would if you had used the regular, slower group resolution mechanism. 
 + 
 +You can use [[extendedfunctions#​listmatch|listMatch($ldapGroups,​ "​some_group")]] in your access rules.
 </​note>​ </​note>​
  
Line 244: Line 252:
 </​code>​ </​code>​
  
 +==== Enable compactConf parameter ====
 +
 +By enabling compactConf option, all unused configuration parameters are removed. Could be usefull to shrink lemonldap-ng configuration file and save space.
 +
 +Go in Manager, ''​General Parameters''​ » ''​Configuration reload''​ » ''​Compact configuration file
 +''​ and set to ''​On''​.
 ==== Use static HTML files ==== ==== Use static HTML files ====