Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:2.1:performances [2019/12/23 21:54]
cmaudoux [Disable unused modules]
documentation:2.1:performances [2020/03/02 17:45] (current)
maxbes [LDAP performances]
Line 1: Line 1:
 ====== Performances ====== ====== Performances ======
  
-LemonLDAP::​NG is designed for high performance,​ both in throughput and response time. Indeed, it can use Apache2 threads capabilities but since Apache version 2.4, mpm_worker seems to break mod_perl. So to increase performances,​ prefer using Nginx.+LemonLDAP::​NG is designed for high performance,​ both in throughput and response time. Indeed, it can use Apache2 threads capabilities ​**but** since Apache version 2.4, mpm_worker seems to break mod_perl. So to increase performances,​ prefer using Nginx.
  
 ===== Built-in ===== ===== Built-in =====
- 
 ==== Cache system ==== ==== Cache system ====
  
Line 26: Line 25:
 To bypass this, you can: To bypass this, you can:
   * Use IP in configuration to avoid DNS resolution   * Use IP in configuration to avoid DNS resolution
-  * Install a DNS cache  like nscd, netmask ​or bind+  * Install a DNS cache  like nscd, dnsmasq ​or unbound
  
 ==== Cron optimization (or systemd timers) ==== ==== Cron optimization (or systemd timers) ====
Line 33: Line 32:
   * purgeCentralCache:​ only 1 time every 10 minutes for the whole system (or more)   * purgeCentralCache:​ only 1 time every 10 minutes for the whole system (or more)
   * purgeLocalCache:​ ~ 1 time per hour on each server   * purgeLocalCache:​ ~ 1 time per hour on each server
 +
 ===== Handler performance ===== ===== Handler performance =====
  
Line 40: Line 40:
  
 Handlers check rights and calculate headers for each HTTP hit. So to improve performances,​ avoid too complex rules by using macros, groups or local macros. Handlers check rights and calculate headers for each HTTP hit. So to improve performances,​ avoid too complex rules by using macros, groups or local macros.
 +
 ==== Macros and groups ==== ==== Macros and groups ====
  
Line 45: Line 46:
   * macros are used to extend (or rewrite) [[exportedvars|exported variables]]. A macro is stored as attributes: it can contain boolean results or any string   * macros are used to extend (or rewrite) [[exportedvars|exported variables]]. A macro is stored as attributes: it can contain boolean results or any string
   * macros can also be used to import environment variables //(these variables are in CGI format)//. Example: ''​$ENV{HTTP_COOKIE}''​   * macros can also be used to import environment variables //(these variables are in CGI format)//. Example: ''​$ENV{HTTP_COOKIE}''​
-  * groups are stored as space-separated ​strings ​in the special attribute ​"groups": it contains the names of groups whose rules were returned true for the current user+  * groups are stored as a string with values ​separated ​by '';​ ''​ (default values separator) ​in the special attribute ​''​groups''​: it contains the names of groups whose rules were returned true for the current user. For example: 
 +<code perl> 
 +$groups = group3; admin 
 +</​code>​
   * You can also get groups in ''​$hGroups''​ which is a Hash Reference of this form:   * You can also get groups in ''​$hGroups''​ which is a Hash Reference of this form:
 <code perl> <code perl>
Line 125: Line 129:
 ==== Apache::​Session performances ==== ==== Apache::​Session performances ====
  
-Lemonldap::​NG handlers use a local cache to store sessions (for 10 minutes). So Apache::​Session module is not a problem for handlers. ​It can be a brake for the portal:+Lemonldap::​NG handlers use a local cache to store sessions (for 10 minutes). So Apache::​Session module is not a problem for handlers. ​But it can be a bottleneck ​for the portal:
   - When you use the multiple sessions restriction parameters, sessions are parsed for each authentication unless you use an [[https://​metacpan.org/​module/​Apache::​Session::​Browseable|Apache::​Session::​Browseable]] module.   - When you use the multiple sessions restriction parameters, sessions are parsed for each authentication unless you use an [[https://​metacpan.org/​module/​Apache::​Session::​Browseable|Apache::​Session::​Browseable]] module.
   - Since MySQL does not have always transaction feature, Apache::​Session::​MySQL has been designed to use MySQL locks. Since MySQL performances are very bad using this, if you want to store sessions in a MySQL database, prefer one of the following   - Since MySQL does not have always transaction feature, Apache::​Session::​MySQL has been designed to use MySQL locks. Since MySQL performances are very bad using this, if you want to store sessions in a MySQL database, prefer one of the following
Line 208: Line 212:
 <note important>​Don'​t forget to create an index on the field used to find users (uid by default)</​note>​ <note important>​Don'​t forget to create an index on the field used to find users (uid by default)</​note>​
  
-<note tip>To avoid having ​group dn stored ​in sessions datas, you can use a macro to rewrite memberOf: +<note tip>To avoid storing the full group DNs in session data, you can use a macro to rewrite ​''​memberOf''​:
-  * Exported variables +
-<​code>​ +
-ldapgroups -> memberOf +
-</​code>​ +
-For now, ldapgroups contains "​cn=admin,​dmdName=groups,​dc=example,​dc=com cn=su,​dmdName=groups,​dc=example,​dc=com"​+
  
-  * A little ​macro: +  * In *Exported variables*, export the ''​memberof''​ LDAP attribute as a ''​ldapGroups''​ session variable 
-<code perl> +    * key: ''​memberof''​ 
-ldapgroups -> join(" ",($ldapgroups ​=~ /​cn=(.*?​),/​g))+    * value: ''​ldapGroups''​ 
 + 
 +  * Next, add a ''​ldapGroups'' ​macro that will overwrite the exported attribute 
 +    * key: ''​ldapGroups''​ 
 +    * value:  
 +<code="perl"
 +join("",($ldapGroups ​=~ /​cn=(.*?​),/​g))
 </​code>​ </​code>​
-Now ldapgroups contains "admin su"+ 
 +''​ldapGroups''​ should now contain something like ''​adminsu''​ just like it would if you had used the regular, slower group resolution mechanism. 
 </​note>​ </​note>​