Question:

You are experiencing massive load issues on the LDAP service of your UCS Master. Even simple LDAP queries (e.g., univention-ldapsearch uid=mmuster) can take up to five minutes to complete.
What can you do if high load peaks continue to occur over extended periods, causing LDAP to respond slowly?

Answer:

Possible Cause

A common cause for sustained LDAP load peaks is a large number of system updates across the domain. These updates can generate a high volume of LDAP write and modify operations, placing significant strain on the LDAP database.

Steps You Can Take

1. Distribute LDAP Requests More Effectively

• Redirect as many LDAP connections as possible from your DC Master to backup servers using the UCR variables ldap/backup and ldap/server/addition.
• Ensure that external clients are configured to query backup servers rather than the Master whenever possible.

2. Optimize Hardware Resources

• Increasing the number of CPUs and switching to faster storage (e.g., NVMe) can significantly improve LDAP performance.
• If you increase the CPU count, make sure to adjust the LDAP thread configuration accordingly (e.g., from 16 to 64 threads when scaling from 16 to 32 CPUs). /etc/ldap/slapd.conf & systemctl restart slapd.service

3. Schedule Maintenance for Database Defragmentation

• Even after implementing the above optimizations, LDAP load peaks may persist due to database fragmentation.
• Plan a dedicated maintenance window to perform LMDB database defragmentation. Follow the guidance provided in this Univention Knowledge Base article:
  Problem: LMDB fragmentation slows down LDAP modifications

4. Apply LDAP Indexing Optimizations from the Univention Performance Guide

• UCS ships with a Performance Guide that includes valuable insights for optimizing LDAP performance in larger environments.
  Univention Corporate Server - Performance guide — Univention Corporate Server - Performance Guide

• One key recommendation is to fine-tune LDAP indexing: Index frequently searched attributes to reduce full-database scans—but avoid over-indexing, as unused indexes add overhead on write and sometimes read operations.
  Univention Corporate Server - Performance guide — Univention Corporate Server - Performance Guide

• You can manage indexing via UCR variables (e.g., disable automatic index rebuilding with ldap/index/autorebuild) and manually define which attributes to index. After updating indices, reindex the database using slapindex, then restart the LDAP service.

Conclusion

If you continue to experience high load peaks despite distributing the load and optimizing hardware, schedule regular maintenance to defragment the LDAP database. This can significantly improve write performance and reduce the overall load on your UCS Master.