Basic stability and Language compatibility testing on LDAP
Basic stability and Language compatibility testing on LDAP
Wrote by Phillip Huang
Index
– Target
– Testing Environment
– Testing Process
– Testing Result
– Following up
– Summary
1. Target
Test the stability of LDAP service when create a large number of users. Specify “getent passwd” and “ldapsearch -x” command usage. Test LDAP service whether it supports Chinese characters set or not.
2. Testing Environment
Machines/Software:
192.168.123.21: LDAP service (port: 390) running based on ‘iplanet’, Operating system is Windows 2000 Advance server (Service Pack 4).
192.168.123.22: PC, with CentOS 4.3(Fully installation).
192.168.123.62: SNAZ OS 4
Network Environment: LAN (10Mbps)
3. Testing process.
3.1 Preprocessing
In machine ‘192.168.123.22’, log on as ‘root’. Install ‘smbldap-tools'(referring to smbldap tools How-to Manual). And then create a shell script ‘ldaptest’ as following text:
#! /bin/bash
# script name: ldaptest
echo “Start: `date`”
for ((i=1;i<=10000;i++))
do
/usr/local/sbin/smbldap-useradd -m "testuser$i"
done
echo "End: `date`"
Here, set the script executing privilege: # chmod 777 ldaptest
In machine ‘192.168.123.62’, login as ‘root’, and modify the ‘/etc/openldap/ldap.conf’ as the following text:
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
BASE dc=plasmon, dc=com
#HOST 192.168.123.8
#HOST 192.168.123.21
uri ldap://192.168.123.21:390
3.2 Create user with Chinese character set
There are two ways to create users: ‘smbldap-useradd’ command and iplaned console. For smbldap-tools, log on ‘192.168.123.22’ as root, type the texts ‘#smbldap-useradd Chineseusername’, here, input Chinese characters in Chineseusername location. And then press ‘enter’ to confirm issuing this command. Watch on the return message. No message means the operating has been done successfully. Any other information means failure.(Also, you could get the status by issuing “echo $?”).
In the LDAP server which is located at ‘192.168.123.21’, open iplanet console, and turn to ‘users and groups’ table. Add new users, and input the user profile table as possible as Chinese characters, special focus on ‘uid’ and ‘user name’ items.
3.3 Create large number of users
In machine ‘192.168.123.22’, login as ‘root’, run the ‘./ldaptest’ script firstly. In machine ‘192.168.123.62’, login as ‘root’, issue the ‘getent passwd’ and ‘ldapsearch –x’ in command line to view the users added to LDAP database. For double checking, in machine ‘192.168.123.21’ hold LDAP service and database, open ‘iplanet’ console, and list all returned users from query.
3.4 End working
When the ‘ldaptest’ script runs completely, record the ‘Start’ and ‘End’ time information. Keep on watching at ‘getent passwd’ result, and compare it with what iplanet shows.
4. Testing Result
At the beginning, ‘ldaptest’ script worked well, and the added users could be viewed from ‘getent passwd’ result. In ‘192.168.123.62’, also issued ‘getent passwd | wc –l’, the number of lines increased as expected.
After about 30 minutes, the machine ‘192.168.123.22’ running "ldaptest" script got warning messages:
Cannot confirm uidnumber is free at /usr/local/sbin//smbldaptools.pm line 1062
No user could be inserted now. In machine ‘192.168.123.62’, ‘getent passwd’ only showed the former 2030 items. the rest added uses are not listed and seemed to be ‘lost’. But I would get those users information by issuing ‘getent
passwd testuser’. For example, it proved ‘testuser4600’ was existed:
# getent passwd testuser4600
This command returned the ‘testuser4600’ entry from LDAP database.
Run ‘ldapsearch -x’ commands on ‘192.168.123.62’, the result did not contain all the user entries and it showed the warning message:
# search result
search: 2
result: 4 size limit exceeded
In "192.168.123.21", iplanet console would show more users (about 4500), but not all. e.g., one user like ‘testuser4800’ would be searched and return its profile, but it is not displayed in iplanet user list.
In order to specify how many users had been created, I just guessed by issuing the following commands on ‘192.168.123.62’:
# getenv passwd testuser10000
If no result returned, continued with:
# getenv passwd testuser5000
If ‘testuser5000’ existed, try the middle number between 5000 and 10000, and so on.
If ‘testuser5000’ did not existed, user number less than 5000 to do the loop until the identified number has corresponding ‘testuser’ entry.
Finally, I found the count was 4820. It means "ldaptest" had already created 4820 users.
I stopped the "ldaptest", just executed:
# smbldap-useradd newtestuser
It failed with the same warning message like ‘ldaptest’ script got early . Then, identified the ‘uid’ and tried again:
# smbldap-useradd -u 20000 -a newtestuser
This operating still failed to add ‘newtestuser’, smbldap tools indicated it could not confirm the uidnumber is free.
Later, I used the reversed loop script "smbldap-userdel testuser$i" to delete all users whose name begin as ‘testuser’. In the first 15 minutes, ‘getent passwd’ showed the rest ‘testuser$i’ users, and the returned lines always hold at 2030. After 15 minutes, the "getent passwd | wc -l" result became to decrease, and finally all "testuser$i" users were deleted.
Now, I could add user again without smbldap tools warning messages. Then I repeated the whole test again. And the secondary result was same as the first one. Only 4820 users could be inserted to the iplanet LDAP database. It’s a limitation.
Another testing project, both smbldap tools and iplaned could accept Chinese characters to setting the user profiles except of uid and email. If set Chinese uid, there was the following error message:
The value is not 7-bit clean. Constraint violation
Later, I deleted ‘uid’ limitation from iplanet ‘7-bit clean’ rules, Chinese was able to input as uid, and it also was found when query by Chinese string in iplanet. Smbldap tools, did not support Chinese uid as issuing in command line mode, and the inserted Chinese uid user could not be returned during query.
5. Following up
In order to display all user in ‘getent passwd’, in machine ‘192.168.123.21’, I modified the ‘c:iplanetserversslapd-plz/config/des.ldif’, changed the nssizelimit value to ‘-1’(default nssizelimit is ‘2000’, ‘-1’ means no limit). Then restart iplanet service, more users were listed but not all. This way did not affect the ‘getenv passwd’ returned result, it still hold 2030 without changing.
On the third tools LAT connecting to ‘192.168.123.21’ LDAP service, It would only display 1000 accounts as maximum value(Loren is fixing this issue, and today sent me a new patch). Searching the added users as "testuser4820" and "testuser4800" which were not listed on LAT, both of them could be found and return profile.
When I’m going on researching, the LDAP server ‘192.168.123.21’ crashed and all the data lost. We had to format the hard disk and install new OS. Testing is also halted.
Since iplanet has these issues and I have to wait its reinstallation, I plan to test on another LDAP server(OpenLDAP) in these days to focus on maximum user count.
6. Summary
Iplanet LDAP server seems to have limitation on users count. This issue is waiting to be confirmed in the following up testing. ‘getent passwd’ and ‘ldapseach -x’ could not display all users, only a part of users were returned. In iplaned, Chinese could not be used as ‘uid’ until modify the ‘7-bit clean’ rules. Smbldap tools do not accept Chinese character as ‘uid’ whenever.