Too many LDAP queries

Sherzod

Dabbler
Joined
Aug 18, 2021
Messages
16
Good afternoon,
We see that Truenas 13.0.U3.1 is making too many LDAP queries. It makes at least 5 million queries in one week.
The strangest thing is that it even searches local users and local groups in ldap too.
Here are some fragments of the logs:
Code:
    May 15, 2023 @ 17:02:46.953 +00:00    646265b6.38cd1dda 0x7f83ce74ab38 conn=112166 op=2 SRCH attr=objectClass cn ipServicePort ipServiceProtocol modifyTimestamp     -
    May 15, 2023 @ 17:02:46.953 +00:00    646265b6.38d08aa7 0x7f83ce74ab38 conn=112166 op=2 SEARCH RESULT tag=101 err=0 qtime=0.000026 etime=0.000367 nentries=0 text=     -
    May 15, 2023 @ 17:02:46.953 +00:00    646265b6.38cc4112 0x7f83ce74ab38 conn=112166 op=2 SRCH base="dc=xxx,dc=com" scope=2 deref=0 filter="(&(cn=https)(objectClass=ipService))"
    Mar 18, 2023 @ 13:59:46.662 +00:00    6415c3d2.27731c00 0x7fabe5d99b38 conn=1000 op=173595 SRCH base="dc=xxx,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(cn=1004))"     -
    Mar 18, 2023 @ 13:59:46.662 +00:00    6415c3d2.27769235 0x7fabe5d99b38 conn=1000 op=173595 SEARCH RESULT tag=101 err=0 qtime=0.000022 etime=0.000268 nentries=0 text=     -
    Mar 18, 2023 @ 13:59:46.661 +00:00    6415c3d2.2769bf98 0x7fabe3f93b38 conn=1000 op=173594 SEARCH RESULT tag=101 err=0 qtime=0.000024 etime=0.000239 nentries=0 text=     -
    Mar 18, 2023 @ 13:59:46.661 +00:00    6415c3d2.27675a56 0x7fabe3f93b38 conn=1000 op=173594 SRCH attr=uidNumber cn gecos uid objectClass homeDirectory gidNumber     -
    Mar 18, 2023 @ 13:59:46.661 +00:00    6415c3d2.2766c66f 0x7fabe3f93b38 conn=1000 op=173594 SRCH base="dc=xxx,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=1004))"     -
    Mar 18, 2023 @ 13:59:46.660 +00:00    6415c3d2.275971c9 0x7fabe0387b38 conn=1000 op=173593 SRCH attr=uidNumber cn gecos uid objectClass homeDirectory gidNumber     -
    Mar 18, 2023 @ 13:59:46.660 +00:00    6415c3d2.27585dec 0x7fabe0387b38 conn=1000 op=173593 SRCH base="dc=xxx,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=1004))"     -
    Mar 18, 2023 @ 13:59:46.660 +00:00    6415c3d2.275d1ea5 0x7fabe0387b38 conn=1000 op=173593 SEARCH RESULT tag=101 err=0 qtime=0.000034 etime=0.000374 nentries=0 text=     -
    Mar 18, 2023 @ 13:59:46.658 +00:00    6415c3d2.2739204f 0x7fabe218db38 conn=1000 op=173592 SRCH base="dc=xxx,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=1004))"     -
    Mar 18, 2023 @ 13:59:46.658 +00:00    6415c3d2.273ac522 0x7fabe218db38 conn=1000 op=173592 SRCH attr=uidNumber cn gecos uid objectClass homeDirectory gidNumber     -
    Mar 18, 2023 @ 13:59:46.658 +00:00    6415c3d2.273ff485 0x7fabe218db38 conn=1000 op=173592 SEARCH RESULT tag=101 err=0 qtime=0.000044 etime=0.000636 nentries=0 text=     -
    Mar 18, 2023 @ 13:59:46.264 +00:00    6415c3d2.0fbf181e 0x7fabe7bffb38 conn=1000 op=173591 SRCH base="dc=xxx,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(cn=1004))"     -
    Mar 18, 2023 @ 13:59:46.264 +00:00    6415c3d2.0fc0093d 0x7fabe7bffb38 conn=1000 op=173591 SRCH attr=member cn memberUid gidNumber
    Apr 22, 2023 @ 13:57:00.935 +00:00    6443e7ac.37b650e0 0x7fabef9dab38 conn=1000 op=1341901 SRCH base="dc=xxx,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=r))"     -
    Apr 22, 2023 @ 13:57:00.935 +00:00    6443e7ac.37b76466 0x7fabef9dab38 conn=1000 op=1341901 SRCH attr=uidNumber cn gecos uid objectClass homeDirectory gidNumber     -
    Apr 22, 2023 @ 13:57:00.935 +00:00    6443e7ac.37bd76f1 0x7fabef9dab38 conn=1000 op=1341901 SEARCH RESULT tag=101 err=0 qtime=0.000041 etime=0.000558 nentries=0 text=     -
    Apr 22, 2023 @ 13:56:12.160 +00:00    6443e77c.0985a839 0x7fabe218db38 conn=1000 op=1341900 SEARCH RESULT tag=101 err=0 qtime=0.000034 etime=0.000341 nentries=0 text=     -
    Apr 22, 2023 @ 13:56:12.159 +00:00    6443e77c.09822a83 0x7fabe218db38 conn=1000 op=1341900 SRCH attr=member cn memberUid gidNumber

If you pay attention to this log, Truenas is looking for a user with uid 1004, and this user is local and created through the Truenas web interface.
We have ldap integration configured:
1684226646353-png.66658

1. How can I reduce the number of queries?
2. Can we configure that local users are looked up first in the local db and are not queried from ldap?
I would be glad to have any tips.
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,702
You might try using the option to "Disable LDAP User/Group Cache".

Keeping the cache updated might be the source of the additional queries.

Note the consequences of that outlined in the help text: Disable caching LDAP users and groups in large LDAP environments. When caching is disabled, LDAP users and groups do not appear in dropdown menus, but are still accepted when manually entered.
 

Sherzod

Dabbler
Joined
Aug 18, 2021
Messages
16
Thanks for the answer!
But it doesn't help :(
Is there anything else you can recommend?
Right now my Truenas config looks like this:
1685032142594.png
 
Top