LDAP making Nextcloud performance slow?

Nextcloud version:12.0.0
Operating system and version: Ubuntu 16.04
Apache or nginx version: Apache 2.4.18
PHP version: 7.0.18
Mysql version: MariaDB 10.1.25

Is this the first time you’ve seen this error?:
Not really an error, but yes it is (my first time trying to fix a Nextcloud server with LDAP)

Can you reliably replicate it? (If so, please outline steps):
Yes, I can replicate it (Created a test machine with Nextcloud (clean one) and still get’s the same problem)

The issue you are facing:
So… When I’m configuring LDAP it takes around 10 miniutes for it to check if everything is okey, and around 10 min for it to save.

When I after get it to work (Everything OK) and trying to check for all the users, it takes another 10 min for it to load. and you can forget to login to an account from LDAP where it will take around 20 min for it to login and isn’n really acceptable to have it like that in a running environment where over 100 people will use it (Got 6 account that is LDAP at the moment).

Local account don’t face this issue at all, you can login to them instantly without a trace of the same issue as LDAP accounts.

Side note:
Before I enchanced the Nextcloud server with Opcache it tooke it around 10-20 min to just open the browser window for my Nextcloud Client if the LDAP option was enabled.

The output of your Nextcloud log in Admin > Logging:
How do you want the log, mine was to big.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

config.php <?php $CONFIG = array ( 'instanceid' => '', 'passwordsalt' => '', 'secret' => '', 'trusted_domains' => array ( 0 => '', 1 => '' ), 'datadirectory' => '/var/www/html/nextcloud/data', 'htaccess.RewriteBase' => '/', 'dbtype' => 'mysql', 'version' => '12.0.0.29', 'dbname' => 'nextcloud', 'dbhost' => 'localhost', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => '', 'dbpassword' => ', 'installed' => true, 'ldapIgnoreNamingRules' => false, 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory', 'ldapUserCleanupInterval' => 60, 'overwrite.cli.url' => ' '\OC\Memcache\APCu', );

The output of your Apache/nginx/system log in /var/log/____:
It’s the same all over the place so only took 5 of them

Summary

[Wed Jul 26 15:46:46.126432 2017] [authz_core:error] [pid 4837] [client <my_ip_address>] AH01630: client denied by server configuration: /var/www/html/nextcloud/data/.ocdata
[Wed Jul 26 15:49:42.991824 2017] [authz_core:error] [pid 4834] [client <my_ip_address>] AH01630: client denied by server configuration: /var/www/html/nextcloud/data/.ocdata
[Wed Jul 26 15:52:12.904864 2017] [authz_core:error] [pid 5683] [client <my_ip_address>] AH01630: client denied by server configuration: /var/www/html/nextcloud/data/.ocdata
[Wed Jul 26 15:52:23.614492 2017] [authz_core:error] [pid 4919] [client <my_ip_address>] AH01630: client denied by server configuration: /var/www/html/nextcloud/data/.ocdata
[Wed Jul 26 15:53:07.538831 2017] [authz_core:error] [pid 5862] [client <my_ip_address>] AH01630: client denied by server configuration: /var/www/html/nextcloud/data/.ocdata

I don’t know what your problem is. Maybe a network issue. How is the connection working with local ldapsearch command? A side from that, ldap works flawless and fast on my setup which is pretty much the same as yours.

cheers
t.

Thanks for answering,

The thing is that it seems like the LDAP config slows down my whole machine (in the browser) when it’s enabled.

we have tried with ldapsearch from the machine (not browser) and it works perfect with no delay or anything, but as soon it’s in the browers, it take ages.

My config from start to finish:

Download NextCloud

LINK:
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-nextcloud-on-ubuntu-16-04

DOWNLOAD LINK:
https://download.nextcloud(.)com/server/releases/

cd /tmp
curl -LO https://download.nextcloud(.)com/server/releases/nextcloud-<version>.tar.bz2
rm nextcloud-<version>.tar.bz2.sha256
Install NextCloud
sudo tar -C /var/www -xvjf /tmp/nextcloud-<version>.tar.bz2

sudo vim /tmp/nextcloud.sh

#!/bin/bash
ocpath='/var/www/html/nextcloud'
htuser='www-data'
htgroup='www-data'
rootuser='root'

printf "Creating possible missing Directories\n"
mkdir -p $ocpath/data
mkdir -p $ocpath/assets
mkdir -p $ocpath/updater

printf "chmod Files and Directories\n"
find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640
find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750
chmod 755 ${ocpath}

printf "chown Directories\n"
chown -R ${rootuser}:${htgroup} ${ocpath}/
chown -R ${htuser}:${htgroup} ${ocpath}/apps/
chown -R ${htuser}:${htgroup} ${ocpath}/assets/
chown -R ${htuser}:${htgroup} ${ocpath}/config/
chown -R ${htuser}:${htgroup} ${ocpath}/data/
chown -R ${htuser}:${htgroup} ${ocpath}/themes/
chown -R ${htuser}:${htgroup} ${ocpath}/updater/

chmod +x ${ocpath}/occ

printf "chmod/chown .htaccess\n"
if [ -f ${ocpath}/.htaccess ]
 then
  chmod 0644 ${ocpath}/.htaccess
  chown ${rootuser}:${htgroup} ${ocpath}/.htaccess
fi
if [ -f ${ocpath}/data/.htaccess ]
 then
  chmod 0644 ${ocpath}/data/.htaccess
  chown ${rootuser}:${htgroup} ${ocpath}/data/.htaccess
fi

EXECUTE THE SCRIPT:
sudo bash /tmp/nextcloud.sh

sudo VIM /etc/apache2/sites-available/nextcloud.conf

CONFIGURE THAT FILE:
Alias /nextcloud "/var/www/html/nextcloud/"

<Directory /var/www/html/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All

    <IfModule mod_dav.c>
        Dav off
    </IfModule>

    SetEnv HOME /var/www/html/nextcloud
    SetEnv HTTP_HOME /var/www/html/nextcloud

</Directory>

sudo a2ensite nextcloud
sudo a2enmod rewrite

sudo apt-get update
sudo apt-get install -y php-bz2 php-curl php-gd php-imagick php-intl php-mbstring php-xml php-zip
sudo systemctl reload apache2
Creating a MySQL Database for NextCloud
LOGIN TO THE SQL
mysql -u root -p

CREATE A DATABASE
CREATE DATABASE nextcloud;

CREATE AN USER AND GIVE PERMISSIONS FOR nextcloud:
GRANT ALL ON nextcloud.* to 'nextcloud'@'localhost' IDENTIFIED BY 'set_database_password';

FLUSH THE PRIVILEGES THEN EXIT
FLUSH PRIVILEGES;
EXIT;
OPcache

FOLDER:
/etc/php/7.0/apache2/php.ini

UNCOMMENT AND CHANGE:
FROM:

;opcache.enable=0
;opcache.enable_cli=0
;opcache.memory_consumption=64
;opcache.interned_strings_buffer=4
;opcache.max_accelerated_files=2000
;opcache.revalidate_freq=2
;opcache.save_comments=1

TO:

opcache.enable=1
opcache.enable_cli=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.revalidate_freq=1
opcache.save_comments=1
Memory Caching

INSTALLATION:

apt-get install php-apcu

FOLDER:

/var/www/html/nextcloud/config/config.php

EDIT:-

added this at the end in the config:
‘memcache.local’ => ‘\OC\Memcache\APCu’,

Change binlog

FILE:

/etc/mysql/my.cnf

UNCOMMENTED AND ADDED:
FROM:

binlog_format=row

TO:

binlog_format=MIXED

LDAP

SERVER:

Host: <DNS_TO_SERVER:389
Port: 389
DN: CN=USER,OU=ServiceAccounts,OU=,OU=Companies,DC=,DC=
PW: PW_TO_USER
Base DN: DC=,DC=

USER:
LDAP Query:

(&(objectClass=user)(memberOf=CN=Nextcloud-user,OU=Groups,OU=company,OU=Companies,DC=,DC=<DC))

LOGIN ATTRIBUTES:-
LDAP Query:

(&(|(objectclass=user))(samaccountname=%uid))

GROUPS:
LDAP Query:

(&(|(objectclass=group))(|(cn=Nextcloud-user)))

Systemd

FILE 1:

/etc/systemd/system/nextcloudcron.service

CODE:

[Unit]
Description=Nextcloud cron.php job

[Service]
User=www-data
ExecStart=/usr/bin/php -f /var/www/html/nextcloud/cron.php

[Install]
WantedBy=basic.target

FILE 2:

/etc/systemd/system/nextcloudcron.timer

CODE:

[Unit]
Description=Run Nextcloud cron.php every 15 minutes

[Timer]
OnBootSec=5min
OnUnitActiveSec=15min
Unit=nextcloudcron.service

[Install]
WantedBy=timers.target

After doing these steps, and even if the LDAP is a bit faster, it still takes around 10 min for me to login to a LDAP user.

Unsure, but afaik LDAP is synced to Nextcloud so there is a local cache. I don’t know how it works in detail though. Many bigger companies use LDAP just fine so I’m unsure if LDAP is the culprit.

I’d take a look at your configuration for searching users, mabe its bonkers :slight_smile:

The thing is also that even if I only install Nextcloud and enables LDAP, the whole machine is slow. and I did follow this guide:

and this LDAP guide:
https://docs.nextcloud.com/server/9/admin_manual/configuration_user/user_auth_ldap.html

It shouldn’t make my LDAP slow right? Or am I missing something here?

Again, how does ldapsearch commandline work?

Ow, sorry I missed that. This is what i ran:

ldapsearch -h <DNS_TO_SERVER> -x -b “DC=xxx,DC=yyy” -D “CN=user,OU=ServiceAccounts,OU=company,OU=Companies,DC=xxx,DC=yyy” -W “sAMAccountName=user”

This is the output (And it’s instant):

extended LDIF

LDAPv3
base <DC=xxx,DC=yyy> with scope subtree
filter: sAMAccountName=user
requesting: ALL

user, ServiceAccounts, company, Companies, xxx.yyy
dn: CN=user,OU=ServiceAccounts,OU=company,OU=Companies,DC=xxx,DC=yyy
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user
givenName: user
distinguishedName: CN=user,OU=ServiceAccounts,OU=company,OU=Companies,DC=xxx,DC=yyy
instanceType: 4
whenCreated: 20161021120720.0Z
whenChanged: 20170721115307.0Z
displayName: user
uSNCreated: 13460120
uSNChanged: 40969462
name: user
objectGUID:: 3+Hjh83OlUmb65ojYE5M2A==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 131215266402066902
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAFxVtss++8UDesCvT6wUAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: user
sAMAccountType: 805306368
userPrincipalName: user@xxx.yyy
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=yyy
dSCorePropagationData: 20161021120721.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 131451115874786245

search reference
ref: ldap://ForestDnsZones.xxx.yyy/DC=ForestDnsZones,DC=xxx,DC=yyy

search reference
ref: ldap://DomainDnsZones.xxx.yyy/DC=DomainDnsZones,DC=xxx,DC=yyy

search reference
ref: ldap://xxx.yyy/CN=Configuration,DC=xxx,DC=yyy

search result
search: 2
result: 0 Success

numResponses: 5
numEntries: 1
numReferences: 3

Anyone that have an idea what I’m doing wrong or is it a bug in Nextcloud?

We found what was wrong now. Our FW’s had double DNS posters to the LDAP server which made the request slow. LDAP is working lika a charm now. Closing this thread now.

Hi Rojz. Could you please elaborate? I’m having the same issue (slow performance when enabling LDAP) and your solution may help me.

I’m also having this issue.

A description of how you resolved it would be appreciated.