authrate — measure bind throughput and response time
Synopsis
authrate {options} [filter template string] [attributes ...]
Description
This utility can be used to measure bind throughput and response time of a directory service using user-defined bind or search-then-bind operations.
Template strings may be used in the bind DN option as well as the authid and authzid SASL bind options. A search operation may be used to retrieve the bind DN by specifying the base DN and a filter. The retrieved entry DN will be appended as the last argument in the argument list when evaluating template strings.
Example (bind only):
authrate -p 1389 -D 'uid=user.{},ou=people,dc=example,dc=com' \
-w password -f -c 10 -g 'rand(0,2000)'
Example (search then bind):
authrate -p 1389 -D '{2}' -w password -f -c 10 \
-b 'ou=people,dc=example,dc=com' -s one -g 'rand(0,2000)' '(uid=user.{1})'
Before trying the example, import 2000 randomly generated users.
When you do not use the -f
option to keep connections open and rebind on the connections, the tool can exhaust its available ports, causing the tool to crash. You can work around this problem on test systems by changing TCP settings on the system.
For example, on Linux systems, set the following parameters in the /etc/sysctl.conf
file:
net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1
The parameter net.ipv4.tcp_fin_timeout
sets the length of time in seconds to wait for a final FIN packet before forcing a close of the socket. The default is 60 (seconds).
The parameter net.ipv4.tcp_tw_recycle
enables fast recycling of TIME_WAIT sockets. The default is 0 (false). Enabling this can cause Network Address Translation (NAT) issues.
The parameter net.ipv4.tcp_tw_reuse
enables reuse of TIME_WAIT sockets for new connections. The default is 0 (false).
These settings are recommended only for testing, and not for production systems.
After making the changes to /etc/sysctl.conf
, reload the configuration with the sysctl command:
# sysctl -p
Options
The authrate command takes the following options:
Command options:
-a | --dereferencePolicy {dereferencePolicy}
Alias dereference policy ('never', 'always', 'search', or 'find').
Default: never
-b | --baseDn {baseDN}
Base DN template string.
-B | --warmUpDuration {warmUpDuration}
Warm up duration in seconds.
Default: 0
-c | --numConnections {numConnections}
Number of connections.
Default: 1
-d | --maxDuration {maxDuration}
Maximum duration in seconds, 0 for unlimited.
Default: 0
-e | --percentile {percentile}
Calculate max response time for a percentile of operations.
-f | --keepConnectionsOpen
Keep connections open.
Default: false
-g | --argument {generator function or static string}
Argument used to evaluate the template strings in program parameters (ie. Base DN, Search Filter). The set of all arguments provided form the argument list in order. Besides static string arguments, they can be generated per iteration with the following functions:
"inc({filename})" Consecutive, incremental line from file
"inc({min},{max})" Consecutive, incremental number
"rand({filename})" Random line from file
"rand({min},{max})" Random number
"randstr({length},_charSet_)" Random string of specified length and optionally from characters in the charSet string. A range of character can be specified with [start-end] charSet notation. If no charSet is specified, the default charSet of [A-Z][a-z][0-9] will be used.
-i | --statInterval {statInterval}
Display results each specified number of seconds.
Default: 5
-I | --invalidPassword {invalidPassword}
Calculate max response time for a percentile of operations.
Default: 0
-m | --maxIterations {maxIterations}
Max iterations, 0 for unlimited.
Default: 0
-M | --targetThroughput {targetThroughput}
Target average throughput to achieve.
Default: 0
-s | --searchScope {searchScope}
Search scope ('base', 'one', 'sub', or 'subordinates'). Note: 'subordinates' is an LDAP extension that might not work with all LDAP servers.
Default: sub
-S | --scriptFriendly
Use script-friendly mode.
Default: false
LDAP connection options:
--connectTimeout {timeout}
Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default: 30000
-D | --bindDn {bindDN}
DN to use to bind to the server.
Default:
-E | --reportAuthzId
Use the authorization identity control.
Default: false
-h | --hostname {host}
Fully-qualified server host name or IP address.
Default: localhost.localdomain
-N | --certNickname {nickname}
Nickname of the certificate that should be sent to the server for SSL client authentication.
-o | --saslOption {name=value}
SASL bind options.
-p | --port {port}
Directory server port number.
-q | --useStartTls
Use StartTLS to secure communication with the server.
Default: false
-T | --trustStorePassword {trustStorePassword}
Truststore cleartext password.
--useJavaKeyStore {keyStorePath}
JKS keystore containing the certificate which should be used for SSL client authentication.
--useJavaTrustStore {trustStorePath}
Use a JKS truststore file for validating server certificate.
--useJceKeyStore {keyStorePath}
JCEKS keystore containing the certificate which should be used for SSL client authentication.
--useJceTrustStore {trustStorePath}
Use a JCEKS truststore file for validating server certificate.
--useJvmTrustStore
Use the a JVM truststore for validating server certificate.
Default: false
--usePasswordPolicyControl
Use the password policy request control.
Default: false
--usePkcs11KeyStore
PKCS#11 keystore containing the certificate which should be used for SSL client authentication.
Default: false
--usePkcs12KeyStore {keyStorePath}
PKCS#12 keystore containing the certificate which should be used for SSL client authentication.
--usePkcs12TrustStore {trustStorePath}
Use a PKCS#12 truststore file for validating server certificate.
-w | --bindPassword {bindPassword}
Password to use to bind to the server. Omit this option while providing the bind DN to ensure that the command prompts for the password, rather than entering the password as a command argument.
-W | --keyStorePassword {keyStorePassword}
Keystore cleartext password.
-X | --trustAll
Trust all server SSL certificates.
Default: false
-Z | --useSsl
Use SSL for secure communication with the server.
Default: false
Utility input/output options:
-n | --no-prompt
Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.
Default: false
--noPropertiesFile
No properties file will be used to get default command line argument values.
Default: false
--propertiesFilePath {propertiesFilePath}
Path to the file containing default property values used for command line arguments.
-v | --verbose
Use verbose mode.
Default: false
General options:
-V | --version
Display Directory Server version information.
Default: false
-H | --help
Display this usage information.
Default: false
Exit Codes
- 0
The command completed successfully.
- 89
An error occurred while parsing the command-line arguments.
Examples
The following example demonstrates measuring simple bind performance:
$authrate \ --hostname localhost \ --port 1389 \ --argument "rand(0,2000)" --bindDn "uid=user.{},ou=people,dc=example,dc=com" \ --bindPassword password \ --numConnections 10 \ --keepConnectionsOpen
------------------------------------------------------------------------------- | Throughput | Response Time | | | (ops/second) | (milliseconds) | | | recent average | recent average 99.9% 99.99% 99.999% | err/sec | ------------------------------------------------------------------------------- | 26046.6 26046.6 | 0.377 0.377 10.62 20.71 36.44 | 0.0 | | 45757.6 35902.1 | 0.214 0.273 7.21 15.93 26.08 | 0.0 | | 47457.8 39754.0 | 0.206 0.247 5.70 13.57 25.30 | 0.0 | | 47715.2 41744.3 | 0.205 0.235 4.98 12.32 24.77 | 0.0 | | 48203.0 43036.0 | 0.203 0.228 4.59 11.80 20.84 | 0.0 | | 49363.0 44090.5 | 0.198 0.222 4.33 11.27 20.71 | 0.0 |
^C
This example uses the following options:
--hostname localhost
,--port 1389
Access the server running on the local system on port 1389.
--argument "rand(0,2000)" --bindDn "uid=user.{},ou=people,dc=example,dc=com"
Authenticate as a user with bind DN
uid=user.number,ou=people,dc=example,dc=com
, where number is a random number between 0 and 2000, inclusive.--bindPassword password
Authenticate with the bind password that is literally
password
.--numConnections 10
Open 10 connections to the server.
--keepConnectionsOpen
Keep the connections open to reuse them during the operation.
Notice the following characteristics of the output:
The first two columns show the throughput in operations completed per second.
The recent column shows the average rate for operations reflected in this row of output.
The average column shows the average rate since the beginning of the run.
The response time columns indicate characteristics of response latency in milliseconds.
The recent column shows the average latency for operations reflected in this row of output.
The average column shows the average latency since the beginning of the run.
The "99.9%" column shows the latency after which 99.9% of operations have completed. Only 1 operation in 1000 took longer than this.
The "99.99%" column shows the latency after which 99.99% of operations have completed. Only 1 operation in 10,000 took longer than this.
The "99.999%" column shows the latency after which 99.999% of operations have completed. Only 1 operation in 100,000 took longer than this.
The "err/sec" column show the rate of error results per second for this row of output.
Unless you have intentionally set up the command to generate errors, this column should indicate
0.0
. Check that this column matches your expectations before looking at any other columns.