What's coming in OpenLDAP 2.5
If pressed, I will admit to thinking that, if NIS was good enough for Charles Babbage, it's good enough for me. I am therefore not a huge fan of LDAP; I feel I can detect in it the heavy hand of the ITU, which seems to wish to apply X.500 to everything. Nevertheless, for secure, distributed, multi-platform identity management it's quite hard to beat. If you decide to run an LDAP server on Unix, one of the major free implementations is slapd, the core engine of the OpenLDAP project. Howard Chu is the chief architect of the project, and spoke at FLOSS 2018 about the upcoming 2.5 release. Any rumors that he might have passed the time while the room filled up by giving a short but nicely rendered fiddle recital are completely true.
OpenLDAP, which will be twenty years old this August, is produced by a core team of three members, and a "random number" of additional contributors. Development has perhaps slowed down a little recently, but they still manage a feature release every 12-18 months, with maintenance releases as needed. OpenLDAP version 2.4, which was first released in 2007, is still the production release; it is theoretically feature-frozen, having had only three releases in the past two years, but the commit rate is still fairly high and fixes, particularly in documentation, continue. Chu noted that despite it being feature-frozen, 2.4.47 will have some minor new features, but this is definitely the last time this will happen and 2.4 is now "absolutely, for-sure, frozen". Probably.
The big milestone coming up is the production release of version 2.5. New features in 2.5, which were the meat of Chu's talk, fall into two camps: those that have been merged for the 2.5 release for some time and have matured, and those which are still scattered through various development branches and have yet to be pulled back into the main tree for release. Mature features coming in 2.5 include multiple thread pool queues, streamlined write waiters, offline slapmodify and slapdelete, and support for LDAP transactions in all the primary database backends.
Currently-merged features for 2.5
In all versions through 2.4, there is a single thread pool that allocates worker threads to every operation. Because this allocation is done through a single queue with a single lock, it gets bogged down pretty heavily under large workloads, and it doesn't scale well to multiple cores. So in 2.5 a configurable number of queues is permitted. In testing, this has produced considerable benefits: a 25% boost in searches per second with the back-mdb backend [PDF] on a four-core test system.
When Oracle invited the OpenLDAP developers
to Oracle's Dublin office in July 2017, multiple queues were further tested
on an M8
system, with 2048 virtual CPUs and 1.5TB of RAM, running a pre-release Solaris
11.3. Initially, with a test database of a million Distinguished Names
(DNs, unique entities within LDAP), and a hundred clients each with ten
connections, they managed 180,000 searches per second. After tuning,
which included increasing the number of thread queues, they hit 930,000
searches per second, at which point they established the Solaris kernel
was the new bottleneck. For multi-core servers, said Chu, multiple
thread pool queues is a huge feature; his advice is to have one queue
per CPU, and if necessary to further increase the number of queues so
that you don't exceed 16 threads per queue.
Also prior to 2.5, there was a single, central thread that was responsible for calling select() on all socket descriptors, for both reading and writing on the network. That thread becomes a bottleneck in high-throughput situations, with a lot of synchronization overhead. So, in 2.5, each worker thread is responsible for sending messages to its own clients, leaving the central thread to deal with receiving messages from all clients. This eliminates much of that overhead, and improves throughput in environments which mix busy clients with slow ones.
The best place to keep the configuration for a database-driven tool is inside the database, and OpenLDAP does this under the Common Name cn=config. This can, however, give rise to a chicken-and-egg situation: the database won't start because it needs a configuration change, and you can't change the configuration because the database is down. The new tools slapmodify and slapdelete allow these changes to be made by direct operations on a down database, and complement the extant slapcat and slapadd.
RFC 5805 for transaction support in LDAP has been around for some time now. Transaction support in OpenLDAP is complete for the three primary database backends: BDB, HDB, and MDB. There is also an LDAP backend, which essentially turns OpenLDAP into an LDAP proxy server; the project looked at adding transaction support to that backend as well, but Chu said it exposes a shortcoming in the RFC, and that the specification really needs to support two-phase commit if transactions distributed across multiple servers are to be possible.
Still in the pipeline
As Chu said earlier, there are also new features coming in 2.5 that have not had quite so much testing as those listed above. OpenLDAP's synchronization and replication engine, syncrepl, does two or more full transactional writes for each incoming modification, and this puts it at a bit of a disadvantage when keeping up with a busy, bursty replication provider. In 2.5, syncrepl does "lazy commit", where those writes are queued for later injection to the underlying database, which helps it keep up with such a provider. STARTTLS and SASL interactive bind have been supported by libldap for some time, but they've been synchronous functions; as of 2.5, they are supported asynchronously, which Chu expects to make your life a little easier "if you're using libldap in some other external event loop". Elliptic-curve cryptography is now supported by OpenLDAP. There are two new database backends, one called Wired Tiger (the name being a play on the BDB backend engine's long-term maintainer, Sleepycat Software), the other called asyncmeta, which is an asynchronous version of the back-meta backend. The lload LDAP load-balancer code is being merged into the slapd code base. Many new modules are provided, including ones to support TOTP OATH and Authzid, and overlays such as adremap and usn to support Microsoft schemas.
Yet another addition for 2.5 is the autoca overlay, which is an automatic generator for both certificates and certification authorities (CAs). When slapd is started with autoca configured, it will look to see if it there is a CA and a server certificate configured; if not, they will be automatically generated with appropriate contents. Then, for any user who comes along and does an LDAP search for their own DN, that is for their own user certificate, the certificate will be generated and supplied to them on the fly. Chu is "pretty happy about that one".
Getting further down into the nuts and bolts, indexing in slapd is currently based on a 32-bit hash; in larger databases Chu is starting to see excessive hash collisions. 2.5 uses 64-bit hashes, which will make false index collisions much less likely. OpenLDAP has previously had an LDIF parsing library, called libldif, which Chu found many distributions didn't package (perhaps, he speculated, because they didn't know it existed). This functionality has now been moved into libldap. Timestamps have been supported, but only with single-second granularity; as of 2.5, timestamps have microsecond resolution, and time spent in queue and time for execution are both logged. For TLS, under 2.4 the filesystem location of the keys and certificates were stored in cn=config; as of 2.5, the keys and certificates themselves can be stored inside the database.
Not everything that was being worked on is ready to ship in 2.5, but it's useful to know what might be coming shortly after. Logging continues to be a bottleneck for OpenLDAP; Chu describes the glibc syslog() code as "some of the worst I've ever read". The OpenLDAP test server manages about 200,000 queries per second with no logging, but only 21,000 queries/second with stats logging enabled. Chu tried writing a streamlined syslog(), but this only raised throughput to 26,000 queries/second; it was clear that some form of binary logging was needed. Initially, Chu considered writing the stats logs as BER-encoded LDAP packets, but realized he'd have to write another tool to parse those binary packets and make them human-readable. So his current thinking is to write them out in the pcap format and let people use Wireshark to read the log, which is definitely an interesting approach to logging.
Chu intends that the project will grasp the nettle of two-phase commits, which he accepts will mean extending RFC 5805. There is, he feels, no alternative if it is going to support transactions across back-ldap, back-meta, and the like. As for timescales, Chu suggested in response to an audience question that we should expect a pre-alpha quality 2.5.0 in a couple of months' time. 2.4 is, as he said, over ten years old; 2.5 is badly-needed, and it'll be good when it gets here.
[Thanks to the Linux Foundation, LWN's travel sponsor, for supporting my
travel to the event.]
| Index entries for this article | |
|---|---|
| GuestArticles | Yates, Tom |
| Conference | FLOSS UK/2018 |
Posted May 23, 2018 21:23 UTC (Wed)
by cyperpunks (subscriber, #39406)
[Link]
Thanks guys!
Posted May 23, 2018 21:30 UTC (Wed)
by kostix (guest, #119803)
[Link] (2 responses)
(I'm not affiliated with ReOpenLDAP.)
Posted May 24, 2018 13:29 UTC (Thu)
by Gladrim (guest, #45751)
[Link] (1 responses)
However, to attack the code quality of OpenLDAP is more than a little unfair. OpenLDAP prioritizes stability and quality of code over pushing new features. It's designed to run at massive scale in telcos and other large enterprises, and to be stable and lightning fast. It's the fastest directory server by miles, thanks in part to the LMDB database backend that was developed specifically for it. LMDB is a deeply impressive bit of code.
Posted May 24, 2018 20:30 UTC (Thu)
by ly2018 (guest, #124025)
[Link]
> However, to attack the code quality of OpenLDAP is more than a little unfair.
> LMDB is a deeply impressive bit of code.
Posted May 23, 2018 22:38 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (10 responses)
Its own configuration is defined as a set of LDAP diff files that are applied on the server startup to a special schema. And you have to use special tools to manipulate them. Want to generate them from an Ansible file? You'd better learn LDIF syntax.
Want to post a question or make a code review? You'd better learn LDIF.
This is probably the most brain-dead way of configuring software I've seen so far, right after Windows Registry.
Posted May 24, 2018 9:04 UTC (Thu)
by diamond_light (subscriber, #72450)
[Link] (4 responses)
Posted May 24, 2018 9:21 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (3 responses)
Posted May 24, 2018 10:52 UTC (Thu)
by grawity (subscriber, #80596)
[Link] (1 responses)
Posted Jun 7, 2018 19:18 UTC (Thu)
by ssmith32 (subscriber, #72404)
[Link]
Posted May 24, 2018 13:22 UTC (Thu)
by Gladrim (guest, #45751)
[Link]
Posted May 24, 2018 11:55 UTC (Thu)
by ptman (subscriber, #57271)
[Link] (1 responses)
Posted May 25, 2018 15:50 UTC (Fri)
by hyc (guest, #124633)
[Link]
Posted May 25, 2018 12:21 UTC (Fri)
by cdufour (guest, #116907)
[Link] (1 responses)
Posted May 25, 2018 15:52 UTC (Fri)
by hyc (guest, #124633)
[Link]
Posted May 25, 2018 13:57 UTC (Fri)
by anselm (subscriber, #2796)
[Link]
It's not as brain-dead as it seems at first, once you realise you can use LDAP to synchronise the configuration between servers (among other things).
Back when I was teaching OpenLDAP classes I would use Apache Directory Studio to tweak the configuration interactively. I always thought there'd be room for a postconf-style tool that would let you change individual configuration parameters from the shell command line, but I never got around to writing it.
Posted May 24, 2018 8:52 UTC (Thu)
by glaubitz (subscriber, #96452)
[Link]
Oh, that would be so nice to have such a machine for Debian's sparc64 port, especially after our SPARC-T5 died :(.
We could probably rebuild the whole Debian archive in one week on two of these machines <3.
Posted May 24, 2018 14:49 UTC (Thu)
by pj (subscriber, #4506)
[Link] (3 responses)
Posted May 24, 2018 15:03 UTC (Thu)
by JFlorian (guest, #49650)
[Link]
Posted May 25, 2018 15:58 UTC (Fri)
by hyc (guest, #124633)
[Link] (1 responses)
I wrote about it before. https://www.linkedin.com/pulse/20140924071300-170035-why-...
Posted May 25, 2018 16:25 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted May 24, 2018 15:17 UTC (Thu)
by pauly (subscriber, #8132)
[Link] (2 responses)
Hey there, wasn't the L to mean "Iightweight"? (Open)LDAP was introduced to me back in 1999 with a notion of
Martin (just a nework guy using OpenLDAP, no expert at all)
Posted May 24, 2018 20:42 UTC (Thu)
by xtifr (guest, #143)
[Link]
Posted May 25, 2018 16:07 UTC (Fri)
by hyc (guest, #124633)
[Link]
Anyway, the University of Michigan directory team went with the common wisdom and invented LDAP, which was intended to be a simplified version of X.500 DAP, that ran over TCP/IP. The original LDAP server was just a gateway/proxy, it spoke DAP out the backend to a real X.500 server while answering client LDAP queries over TCP. Eventually they had the idea of creating a standalone server, and getting rid of the X.500 dependencies, and OpenLDAP started from this later UMich code. The UMich directory team all got hired by Netscape, so the last UMich LDAP release happened in 1996. There were various unofficial patches and bugfixes floating around on email lists, which were collected and consolidated into what became OpenLDAP 1.0 in 1998. Much of this code got overhauled in stages from OpenLDAP 2.0 (~2000) onward, and today's code doesn't have much original UMich code inside any more.
Posted Jun 6, 2018 23:02 UTC (Wed)
by mhardin_symas (guest, #124885)
[Link]
Howard is often too shy to say, but the reason many of the features in OpenLDAP 2.5 have been maturing quickly is that his company, Symas, has back-ported them from the OpenLDAP 2.5 release into its OpenLDAP 2.4 packages. Lazy commit, multiple thread pool queues, streamlined write waiters, 64-bit index hashes, and more, are all part of Symas's OpenLDAP 2.4 rpms, debs, and txzs, and see heavy use in some of the world's most demanding environments. More information is here: https://symas.com/symasopenldap.
Anyone wishing to take these features for a spin without the pain of compiling can download the free (as in beer) Silver version of Symas OpenLDAP at https://downloads.symas.com. No registration is necessary.
What's coming in OpenLDAP 2.5
nice replication features, fast, and simple to do configuration changes at runtime without downtime, sane logging and easy to debug.
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
Wrong, but this is a long story...
This make me laugh.
Just see the code, or loops the `make test`.
Hm, or one more rebus of code?
But nevertheless, pay attention to https://github.com/leo-yuriev/libmdbx
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
LDIF isn't the wire format, it's the data markup format – most people who run Nginx will eventually need to know a bit of HTML, don't they?
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
"That X.500 stuff is much too academic and will never take off in real life. So some guys of in the States
started a new project to have _some_ functionality working on real servers, with real database content.
All freedom, little warranty."
What's coming in OpenLDAP 2.5
What's coming in OpenLDAP 2.5
Early Access to OpenLDAP 2.5 Features