Univention Bugzilla – Bug 54140
U@S ACLs slow down - univention-bind-ldap fails to start
Last modified: 2022-09-09 10:56:00 CEST
In a large school environment starting up BIND9-LDAP takes up 6+ minutes. univention-bind-ldap.service does this: > LB=$(ucr get ldap/base) DNS=$(ucr get domainname) > time ldapsearch -x -D "$(ucr get ldap/hostdn) -y /etc/machine.secret -b "zoneName=$DNS,cn=dns,$LB" -s sub "(zoneName=$DNS)" 1.1 | grep -c ^dn > 54087 > real 41,353s The slowness seems to be caused by LDAP ACLs as both > time ldapsearch -x -D "cn=admin,$LB" -y /etc/ldap.secret … > 55124 > real 0,705s and > time ldapsearch -QY EXTERNAL -H ldapi:/// … > 55124 > real 0,539s are fast; the first ignores all ACLs and the second is allow-listed very early. +++ This bug was initially created as a clone of Bug #54108 +++
Proposed changes: https://git.knut.univention.de/univention/ucsschool/-/merge_requests/128 Also see comments in https://git.knut.univention.de/univention/ucs/-/issues/809 for the possible performance gains.
MR https://git.knut.univention.de/univention/ucs/-/merge_requests/464 was merged and package univention-ldap was built: univention-ldap (16.0.7-23) baf56f9d6638 | Bug #54140: Faster access to DNS-Zone objects for machine account Scenario specific access directive for acl-master and acl-slave in package univention-ldap, which provides faster read times for DNS-Zone objects. See https://git.knut.univention.de/univention/ucs/-/merge_requests/464 for details.
Verified: * Code review * Package update * Functional test (just slapd) * Advisory
The initial Setup of a DC doesn't work anymore because slapd never starts up. the ucr variable ldap/hostdn is not set until the joinscript 10univention-ldap-server.inst runs. This is never reached, well, because the slapd never starts up, packages can't be configured etc. The ACL then looks like this # Bug #54140: There are systems with a large amount (>50000) of DNS-Zone objects, # the following access directive provides a faster access for services which have to # read all of them via the machine account (like Bind9 on nodes without samba). access to dn.children="cn=dns,dc=autotest090,dc=local" filter="(objectClass=dNSZone)" by dn="" read by * +0 break And slaptest complains 63183c82 /etc/ldap/slapd.conf: line 208: missing "=" in (or value after) "dn" in by clause I can see that we solved this before by making the ACL conditional on the existence of that ucr variable something like this in the template if configRegistry['ldap/hostdn']
Fixed with MR: https://git.knut.univention.de/univention/ucs/-/merge_requests/504 Commit: cd2d11815b2 | Bug #54140: Do not use access control entry if ldap/hostdn is not set
Verified: * Code is now robust against ldap/hostdn not set * Package update * Functional test (also with unset ldap/hostdn) * Advisory
<https://errata.software-univention.de/#/?erratum=5.0x404>