From d6260b31ed6880f6ab7b0aa71214bbb7a9d7b7e7 Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Mon, 22 Jun 2026 11:30:48 +0300
Subject: [PATCH 01/15] Add Performance workflow benchmarking OpenDJ vs
 OpenLDAP

Adds .github/workflows/performance.yml plus supporting assets under
.github/performance/ to run an automated LDAP benchmark comparing the
latest OpenDJ and OpenLDAP Docker images.

- Triggers: manual (workflow_dispatch) and after the Release workflow
  (workflow_run). Image tags and load profile (threads/duration/rampup/
  jmeter_version) are configurable inputs, defaulting to latest images and
  the original 256-thread/600s profile.
- Benchmarks OpenLDAP (osixia/openldap) first, then OpenDJ
  (openidentityplatform/opendj), sequentially so only one server is under
  load at a time.
- JMeter plan (benchmark.jmx): the admin bind is cached once per thread
  (Once Only Controller, labelled ADMIN_CONNECT and excluded from metrics);
  ADD/SEARCH/COMPARE/MODIFY/DELETE/ADD WITHOUT DELETE run on that admin
  connection; the measured BIND is a single bind/unbind (test=sbind, own
  connection) as the per-thread user with the password MODIFY sets, so real
  password-hash verification is exercised.
- Captures versions via shipped tools (OpenLDAP slapd -VV, OpenDJ rootDSE
  fullVendorVersion) and writes versions, a per-operation comparison table
  and two comparative Mermaid xychart-beta charts to GITHUB_STEP_SUMMARY;
  full JMeter HTML dashboards are uploaded as the jmeter-reports artifact.
---
 .github/performance/benchmark.jmx | 332 ++++++++++++++++++++++++++++++
 .github/performance/people.ldif   |  17 ++
 .github/performance/summary.sh    | 144 +++++++++++++
 .github/workflows/performance.yml | 208 +++++++++++++++++++
 4 files changed, 701 insertions(+)
 create mode 100644 .github/performance/benchmark.jmx
 create mode 100644 .github/performance/people.ldif
 create mode 100644 .github/performance/summary.sh
 create mode 100644 .github/workflows/performance.yml

diff --git a/.github/performance/benchmark.jmx b/.github/performance/benchmark.jmx
new file mode 100644
index 0000000000..a20b94a64b
--- /dev/null
+++ b/.github/performance/benchmark.jmx
@@ -0,0 +1,332 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  The contents of this file are subject to the terms of the Common Development and
+  Distribution License (the License). You may not use this file except in compliance with the
+  License.
+
+  You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+  specific language governing permission and limitations under the License.
+
+  When distributing Covered Software, include this CDDL Header Notice in each file and include
+  the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+  Header, with the fields enclosed by brackets [] replaced by your own identifying
+  information: "Portions copyright [year] [name of copyright owner]".
+
+  Copyright 2026 3A Systems, LLC.
+-->
+<jmeterTestPlan version="1.2" properties="5.0" jmeter="5.6.3">
+  <hashTree>
+    <TestPlan guiclass="TestPlanGui" testclass="TestPlan" testname="OpenDJ vs OpenLDAP - LDAP benchmark" enabled="true">
+      <stringProp name="TestPlan.comments">Parametrized LDAP benchmark. Admin bind is cached once per thread (Once Only Controller, labelled ADMIN_CONNECT, excluded from metrics). Data ops (ADD/SEARCH/COMPARE/MODIFY/DELETE/ADD WITHOUT DELETE) reuse the cached admin connection. The measured user authentication is a single bind/unbind (test=sbind, own connection) after MODIFY has set the userPassword.</stringProp>
+      <boolProp name="TestPlan.functional_mode">false</boolProp>
+      <boolProp name="TestPlan.tearDown_on_shutdown">true</boolProp>
+      <boolProp name="TestPlan.serialize_threadgroups">false</boolProp>
+      <elementProp name="TestPlan.user_defined_variables" elementType="Arguments" guiclass="ArgumentsPanel" testclass="Arguments" testname="User Defined Variables" enabled="true">
+        <collectionProp name="Arguments.arguments"/>
+      </elementProp>
+      <stringProp name="TestPlan.user_define_classpath"></stringProp>
+    </TestPlan>
+    <hashTree>
+      <ThreadGroup guiclass="ThreadGroupGui" testclass="ThreadGroup" testname="LDAP Thread Group" enabled="true">
+        <stringProp name="ThreadGroup.on_sample_error">continue</stringProp>
+        <elementProp name="ThreadGroup.main_controller" elementType="LoopController" guiclass="LoopControlPanel" testclass="LoopController" testname="Loop Controller" enabled="true">
+          <boolProp name="LoopController.continue_forever">false</boolProp>
+          <stringProp name="LoopController.loops">-1</stringProp>
+        </elementProp>
+        <stringProp name="ThreadGroup.num_threads">${__P(threads,256)}</stringProp>
+        <stringProp name="ThreadGroup.ramp_time">${__P(rampup,0)}</stringProp>
+        <boolProp name="ThreadGroup.scheduler">true</boolProp>
+        <stringProp name="ThreadGroup.duration">${__P(duration,600)}</stringProp>
+        <stringProp name="ThreadGroup.delay"></stringProp>
+      </ThreadGroup>
+      <hashTree>
+        <!-- Admin connection: bound once per thread, cached in ldapContexts[thread], reused by all
+             data operations. Labelled ADMIN_CONNECT and excluded from metrics. -->
+        <OnceOnlyController guiclass="OnceOnlyControllerGui" testclass="OnceOnlyController" testname="Once Only - admin connect" enabled="true"/>
+        <hashTree>
+          <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="ADMIN_CONNECT" enabled="true">
+            <stringProp name="servername">${__P(host,localhost)}</stringProp>
+            <stringProp name="port">${__P(port,1389)}</stringProp>
+            <stringProp name="rootdn">ou=People,${__P(basedn,dc=example,dc=com)}</stringProp>
+            <stringProp name="scope">2</stringProp>
+            <stringProp name="countlimit"></stringProp>
+            <stringProp name="timelimit"></stringProp>
+            <stringProp name="attributes"></stringProp>
+            <stringProp name="return_object">false</stringProp>
+            <stringProp name="deref_aliases">false</stringProp>
+            <stringProp name="connection_timeout">60000</stringProp>
+            <stringProp name="parseflag">false</stringProp>
+            <stringProp name="secure">false</stringProp>
+            <stringProp name="user_dn">${__P(adminbinddn,cn=Directory Manager)}</stringProp>
+            <stringProp name="user_pw">${__P(adminbindpw,password)}</stringProp>
+            <stringProp name="comparedn"></stringProp>
+            <stringProp name="comparefilt"></stringProp>
+            <stringProp name="modddn"></stringProp>
+            <stringProp name="newdn"></stringProp>
+            <stringProp name="test">bind</stringProp>
+          </LDAPExtSampler>
+          <hashTree/>
+        </hashTree>
+
+        <!-- ADD (admin connection): create the per-thread user entry. -->
+        <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="ADD" enabled="true">
+          <stringProp name="servername"></stringProp>
+          <stringProp name="port"></stringProp>
+          <stringProp name="rootdn"></stringProp>
+          <stringProp name="scope">2</stringProp>
+          <stringProp name="countlimit"></stringProp>
+          <stringProp name="timelimit"></stringProp>
+          <stringProp name="attributes"></stringProp>
+          <stringProp name="return_object">false</stringProp>
+          <stringProp name="deref_aliases">false</stringProp>
+          <stringProp name="connection_timeout"></stringProp>
+          <stringProp name="parseflag">false</stringProp>
+          <stringProp name="secure">false</stringProp>
+          <stringProp name="user_dn"></stringProp>
+          <stringProp name="user_pw"></stringProp>
+          <stringProp name="comparedn"></stringProp>
+          <stringProp name="comparefilt"></stringProp>
+          <stringProp name="modddn"></stringProp>
+          <stringProp name="newdn"></stringProp>
+          <stringProp name="test">add</stringProp>
+          <stringProp name="base_entry_dn">cn=user_${__threadNum}</stringProp>
+          <elementProp name="arguments" elementType="Arguments" guiclass="ArgumentsPanel" testclass="Arguments" testname="User Defined Variables" enabled="true">
+            <collectionProp name="Arguments.arguments">
+              <elementProp name="sn" elementType="Argument">
+                <stringProp name="Argument.name">sn</stringProp>
+                <stringProp name="Argument.value">user_${__threadNum}</stringProp>
+                <stringProp name="Argument.metadata">=</stringProp>
+              </elementProp>
+              <elementProp name="mail" elementType="Argument">
+                <stringProp name="Argument.name">mail</stringProp>
+                <stringProp name="Argument.value">user_${__threadNum}@test.com</stringProp>
+                <stringProp name="Argument.metadata">=</stringProp>
+              </elementProp>
+              <elementProp name="objectClass" elementType="Argument">
+                <stringProp name="Argument.name">objectClass</stringProp>
+                <stringProp name="Argument.value">top</stringProp>
+                <stringProp name="Argument.metadata">=</stringProp>
+              </elementProp>
+              <elementProp name="objectClass" elementType="Argument">
+                <stringProp name="Argument.name">objectClass</stringProp>
+                <stringProp name="Argument.value">inetOrgPerson</stringProp>
+                <stringProp name="Argument.metadata">=</stringProp>
+              </elementProp>
+              <elementProp name="objectClass" elementType="Argument">
+                <stringProp name="Argument.name">objectClass</stringProp>
+                <stringProp name="Argument.value">organizationalPerson</stringProp>
+                <stringProp name="Argument.metadata">=</stringProp>
+              </elementProp>
+              <elementProp name="objectClass" elementType="Argument">
+                <stringProp name="Argument.name">objectClass</stringProp>
+                <stringProp name="Argument.value">person</stringProp>
+                <stringProp name="Argument.metadata">=</stringProp>
+              </elementProp>
+            </collectionProp>
+          </elementProp>
+        </LDAPExtSampler>
+        <hashTree/>
+
+        <!-- SEARCH (admin connection). -->
+        <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="SEARCH" enabled="true">
+          <stringProp name="servername"></stringProp>
+          <stringProp name="port"></stringProp>
+          <stringProp name="rootdn"></stringProp>
+          <stringProp name="scope">2</stringProp>
+          <stringProp name="countlimit">0</stringProp>
+          <stringProp name="timelimit">0</stringProp>
+          <stringProp name="attributes">cn:dn:objectClass</stringProp>
+          <stringProp name="return_object">false</stringProp>
+          <stringProp name="deref_aliases">false</stringProp>
+          <stringProp name="connection_timeout"></stringProp>
+          <stringProp name="parseflag">false</stringProp>
+          <stringProp name="secure">false</stringProp>
+          <stringProp name="user_dn"></stringProp>
+          <stringProp name="user_pw"></stringProp>
+          <stringProp name="comparedn"></stringProp>
+          <stringProp name="comparefilt"></stringProp>
+          <stringProp name="modddn"></stringProp>
+          <stringProp name="newdn"></stringProp>
+          <stringProp name="test">search</stringProp>
+          <stringProp name="search"></stringProp>
+          <stringProp name="searchfilter">(sn=user_${__threadNum})</stringProp>
+        </LDAPExtSampler>
+        <hashTree/>
+
+        <!-- COMPARE (admin connection). -->
+        <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="COMPARE" enabled="true">
+          <stringProp name="servername"></stringProp>
+          <stringProp name="port"></stringProp>
+          <stringProp name="rootdn"></stringProp>
+          <stringProp name="scope">2</stringProp>
+          <stringProp name="countlimit"></stringProp>
+          <stringProp name="timelimit"></stringProp>
+          <stringProp name="attributes"></stringProp>
+          <stringProp name="return_object">false</stringProp>
+          <stringProp name="deref_aliases">false</stringProp>
+          <stringProp name="connection_timeout"></stringProp>
+          <stringProp name="parseflag">false</stringProp>
+          <stringProp name="secure">false</stringProp>
+          <stringProp name="user_dn"></stringProp>
+          <stringProp name="user_pw"></stringProp>
+          <stringProp name="comparedn">cn=user_${__threadNum}</stringProp>
+          <stringProp name="comparefilt">mail=user_${__threadNum}@test.com</stringProp>
+          <stringProp name="modddn"></stringProp>
+          <stringProp name="newdn"></stringProp>
+          <stringProp name="test">compare</stringProp>
+        </LDAPExtSampler>
+        <hashTree/>
+
+        <!-- MODIFY (admin connection): rename sn and set userPassword so the user can authenticate. -->
+        <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="MODIFY" enabled="true">
+          <stringProp name="servername"></stringProp>
+          <stringProp name="port"></stringProp>
+          <stringProp name="rootdn"></stringProp>
+          <stringProp name="scope">2</stringProp>
+          <stringProp name="countlimit"></stringProp>
+          <stringProp name="timelimit"></stringProp>
+          <stringProp name="attributes"></stringProp>
+          <stringProp name="return_object">false</stringProp>
+          <stringProp name="deref_aliases">false</stringProp>
+          <stringProp name="connection_timeout"></stringProp>
+          <stringProp name="parseflag">false</stringProp>
+          <stringProp name="secure">false</stringProp>
+          <stringProp name="user_dn"></stringProp>
+          <stringProp name="user_pw"></stringProp>
+          <stringProp name="comparedn"></stringProp>
+          <stringProp name="comparefilt"></stringProp>
+          <stringProp name="modddn"></stringProp>
+          <stringProp name="newdn"></stringProp>
+          <stringProp name="test">modify</stringProp>
+          <stringProp name="base_entry_dn">cn=user_${__threadNum}</stringProp>
+          <elementProp name="ldaparguments" elementType="LDAPArguments" guiclass="LDAPArgumentsPanel" testclass="LDAPArguments" testname="LDAP Extended Request Defaults" enabled="true">
+            <collectionProp name="Arguments.arguments">
+              <elementProp name="sn" elementType="LDAPArgument">
+                <stringProp name="Argument.name">sn</stringProp>
+                <stringProp name="Argument.value">rename_${__threadNum}</stringProp>
+                <stringProp name="Argument.opcode">replace</stringProp>
+                <stringProp name="Argument.metadata">=</stringProp>
+              </elementProp>
+              <elementProp name="userPassword" elementType="LDAPArgument">
+                <stringProp name="Argument.name">userPassword</stringProp>
+                <stringProp name="Argument.value">${__P(benchpw,benchPass1)}</stringProp>
+                <stringProp name="Argument.opcode">replace</stringProp>
+                <stringProp name="Argument.metadata">=</stringProp>
+              </elementProp>
+            </collectionProp>
+          </elementProp>
+        </LDAPExtSampler>
+        <hashTree/>
+
+        <!-- BIND (measured user authentication): single bind/unbind on its own connection,
+             does NOT disturb the cached admin connection. -->
+        <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="BIND" enabled="true">
+          <stringProp name="servername">${__P(host,localhost)}</stringProp>
+          <stringProp name="port">${__P(port,1389)}</stringProp>
+          <stringProp name="rootdn">ou=People,${__P(basedn,dc=example,dc=com)}</stringProp>
+          <stringProp name="scope">2</stringProp>
+          <stringProp name="countlimit"></stringProp>
+          <stringProp name="timelimit"></stringProp>
+          <stringProp name="attributes"></stringProp>
+          <stringProp name="return_object">false</stringProp>
+          <stringProp name="deref_aliases">false</stringProp>
+          <stringProp name="connection_timeout">60000</stringProp>
+          <stringProp name="parseflag">false</stringProp>
+          <stringProp name="secure">false</stringProp>
+          <stringProp name="user_dn">cn=user_${__threadNum},ou=People,${__P(basedn,dc=example,dc=com)}</stringProp>
+          <stringProp name="user_pw">${__P(benchpw,benchPass1)}</stringProp>
+          <stringProp name="comparedn"></stringProp>
+          <stringProp name="comparefilt"></stringProp>
+          <stringProp name="modddn"></stringProp>
+          <stringProp name="newdn"></stringProp>
+          <stringProp name="test">sbind</stringProp>
+        </LDAPExtSampler>
+        <hashTree/>
+
+        <!-- DELETE (admin connection): remove the per-thread user entry. -->
+        <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="DELETE" enabled="true">
+          <stringProp name="servername"></stringProp>
+          <stringProp name="port"></stringProp>
+          <stringProp name="rootdn"></stringProp>
+          <stringProp name="scope">2</stringProp>
+          <stringProp name="countlimit"></stringProp>
+          <stringProp name="timelimit"></stringProp>
+          <stringProp name="attributes"></stringProp>
+          <stringProp name="return_object">false</stringProp>
+          <stringProp name="deref_aliases">false</stringProp>
+          <stringProp name="connection_timeout"></stringProp>
+          <stringProp name="parseflag">false</stringProp>
+          <stringProp name="secure">false</stringProp>
+          <stringProp name="user_dn"></stringProp>
+          <stringProp name="user_pw"></stringProp>
+          <stringProp name="comparedn"></stringProp>
+          <stringProp name="comparefilt"></stringProp>
+          <stringProp name="modddn"></stringProp>
+          <stringProp name="newdn"></stringProp>
+          <stringProp name="test">delete</stringProp>
+          <stringProp name="delete">cn=user_${__threadNum}</stringProp>
+        </LDAPExtSampler>
+        <hashTree/>
+
+        <!-- ADD WITHOUT DELETE (admin connection): accumulation; unique RDN via __UUID. -->
+        <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="ADD WITHOUT DELETE" enabled="true">
+          <stringProp name="servername"></stringProp>
+          <stringProp name="port"></stringProp>
+          <stringProp name="rootdn"></stringProp>
+          <stringProp name="scope">2</stringProp>
+          <stringProp name="countlimit"></stringProp>
+          <stringProp name="timelimit"></stringProp>
+          <stringProp name="attributes"></stringProp>
+          <stringProp name="return_object">false</stringProp>
+          <stringProp name="deref_aliases">false</stringProp>
+          <stringProp name="connection_timeout"></stringProp>
+          <stringProp name="parseflag">false</stringProp>
+          <stringProp name="secure">false</stringProp>
+          <stringProp name="user_dn"></stringProp>
+          <stringProp name="user_pw"></stringProp>
+          <stringProp name="comparedn"></stringProp>
+          <stringProp name="comparefilt"></stringProp>
+          <stringProp name="modddn"></stringProp>
+          <stringProp name="newdn"></stringProp>
+          <stringProp name="test">add</stringProp>
+          <stringProp name="base_entry_dn">cn=user_${__threadNum}_${__UUID}</stringProp>
+          <elementProp name="arguments" elementType="Arguments" guiclass="ArgumentsPanel" testclass="Arguments" testname="User Defined Variables" enabled="true">
+            <collectionProp name="Arguments.arguments">
+              <elementProp name="sn" elementType="Argument">
+                <stringProp name="Argument.name">sn</stringProp>
+                <stringProp name="Argument.value">user_${__threadNum}</stringProp>
+                <stringProp name="Argument.metadata">=</stringProp>
+              </elementProp>
+              <elementProp name="mail" elementType="Argument">
+                <stringProp name="Argument.name">mail</stringProp>
+                <stringProp name="Argument.value">user_${__threadNum}@test.com</stringProp>
+                <stringProp name="Argument.metadata">=</stringProp>
+              </elementProp>
+              <elementProp name="objectClass" elementType="Argument">
+                <stringProp name="Argument.name">objectClass</stringProp>
+                <stringProp name="Argument.value">top</stringProp>
+                <stringProp name="Argument.metadata">=</stringProp>
+              </elementProp>
+              <elementProp name="objectClass" elementType="Argument">
+                <stringProp name="Argument.name">objectClass</stringProp>
+                <stringProp name="Argument.value">inetOrgPerson</stringProp>
+                <stringProp name="Argument.metadata">=</stringProp>
+              </elementProp>
+              <elementProp name="objectClass" elementType="Argument">
+                <stringProp name="Argument.name">objectClass</stringProp>
+                <stringProp name="Argument.value">organizationalPerson</stringProp>
+                <stringProp name="Argument.metadata">=</stringProp>
+              </elementProp>
+              <elementProp name="objectClass" elementType="Argument">
+                <stringProp name="Argument.name">objectClass</stringProp>
+                <stringProp name="Argument.value">person</stringProp>
+                <stringProp name="Argument.metadata">=</stringProp>
+              </elementProp>
+            </collectionProp>
+          </elementProp>
+        </LDAPExtSampler>
+        <hashTree/>
+      </hashTree>
+    </hashTree>
+  </hashTree>
+</jmeterTestPlan>
diff --git a/.github/performance/people.ldif b/.github/performance/people.ldif
new file mode 100644
index 0000000000..d6a350093e
--- /dev/null
+++ b/.github/performance/people.ldif
@@ -0,0 +1,17 @@
+# The contents of this file are subject to the terms of the Common Development and
+# Distribution License (the License). You may not use this file except in compliance with the
+# License.
+#
+# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+# specific language governing permission and limitations under the License.
+#
+# When distributing Covered Software, include this CDDL Header Notice in each file and include
+# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+# Header, with the fields enclosed by brackets [] replaced by your own identifying
+# information: "Portions copyright [year] [name of copyright owner]".
+#
+# Copyright 2026 3A Systems, LLC.
+dn: ou=People,dc=example,dc=com
+objectClass: top
+objectClass: organizationalUnit
+ou: People
diff --git a/.github/performance/summary.sh b/.github/performance/summary.sh
new file mode 100644
index 0000000000..ecac86c8de
--- /dev/null
+++ b/.github/performance/summary.sh
@@ -0,0 +1,144 @@
+#!/usr/bin/env bash
+# The contents of this file are subject to the terms of the Common Development and
+# Distribution License (the License). You may not use this file except in compliance with the
+# License.
+#
+# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+# specific language governing permission and limitations under the License.
+#
+# When distributing Covered Software, include this CDDL Header Notice in each file and include
+# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+# Header, with the fields enclosed by brackets [] replaced by your own identifying
+# information: "Portions copyright [year] [name of copyright owner]".
+#
+# Copyright 2026 3A Systems, LLC.
+#
+# Render an OpenDJ-vs-OpenLDAP LDAP benchmark report (versions + comparison table +
+# comparative Mermaid charts) to stdout — intended to be appended to $GITHUB_STEP_SUMMARY.
+#
+# Usage:
+#   summary.sh <openldap_statistics.json> <opendj_statistics.json> \
+#              <openldap_version> <opendj_version> [openldap_image] [opendj_image]
+#
+# The admin connection bind is labelled ADMIN_CONNECT in the plan and is intentionally
+# skipped here, so it never pollutes the per-operation comparison.
+set -euo pipefail
+
+OL_JSON="${1:?openldap statistics.json required}"
+DJ_JSON="${2:?opendj statistics.json required}"
+OL_VER="${3:-unknown}"
+DJ_VER="${4:-unknown}"
+OL_IMG="${5:-}"
+DJ_IMG="${6:-}"
+
+# Operations to compare, in workflow order. ADMIN_CONNECT and Total are excluded.
+OPS=("ADD" "SEARCH" "COMPARE" "MODIFY" "BIND" "DELETE" "ADD WITHOUT DELETE")
+
+# m <file> <label> <field>  -> numeric value (0 if absent), rounded to 1 decimal.
+m() { jq -r --arg l "$2" --arg f "$3" '((.[$l][$f]) // 0) | (.*10 | round / 10)' "$1"; }
+# mi <file> <label> <field> -> integer value (0 if absent).
+mi() { jq -r --arg l "$2" --arg f "$3" '((.[$l][$f]) // 0) | round' "$1"; }
+
+echo "## 🔬 LDAP Benchmark — OpenDJ vs OpenLDAP"
+echo ""
+
+# ---------------------------------------------------------------- Versions
+echo "### Versions"
+echo ""
+echo "| Server | Version | Image |"
+echo "|---|---|---|"
+echo "| **OpenLDAP** | \`${OL_VER}\` | \`${OL_IMG:-n/a}\` |"
+echo "| **OpenDJ** | \`${DJ_VER}\` | \`${DJ_IMG:-n/a}\` |"
+echo ""
+
+# ---------------------------------------------------------------- Totals
+ol_tot_tp=$(m  "$OL_JSON" Total throughput)
+dj_tot_tp=$(m  "$DJ_JSON" Total throughput)
+ol_tot_n=$(mi  "$OL_JSON" Total sampleCount)
+dj_tot_n=$(mi  "$DJ_JSON" Total sampleCount)
+ol_tot_e=$(mi  "$OL_JSON" Total errorCount)
+dj_tot_e=$(mi  "$DJ_JSON" Total errorCount)
+ol_tot_mean=$(m "$OL_JSON" Total meanResTime)
+dj_tot_mean=$(m "$DJ_JSON" Total meanResTime)
+
+echo "### Totals (all operations, ADMIN_CONNECT excluded by the plan label)"
+echo ""
+echo "| Server | Throughput (ops/s) | Mean (ms) | Samples | Errors |"
+echo "|---|--:|--:|--:|--:|"
+echo "| **OpenLDAP** | ${ol_tot_tp} | ${ol_tot_mean} | ${ol_tot_n} | ${ol_tot_e} |"
+echo "| **OpenDJ** | ${dj_tot_tp} | ${dj_tot_mean} | ${dj_tot_n} | ${dj_tot_e} |"
+echo ""
+
+# ---------------------------------------------------------------- Per-op table
+echo "### Per-operation comparison"
+echo ""
+echo "| Operation | ops/s OpenLDAP | ops/s OpenDJ | mean ms OpenLDAP | mean ms OpenDJ | p99 ms OpenLDAP | p99 ms OpenDJ | err OL | err DJ |"
+echo "|---|--:|--:|--:|--:|--:|--:|--:|--:|"
+for op in "${OPS[@]}"; do
+  printf '| %s | %s | %s | %s | %s | %s | %s | %s | %s |\n' \
+    "$op" \
+    "$(m  "$OL_JSON" "$op" throughput)"   "$(m  "$DJ_JSON" "$op" throughput)" \
+    "$(m  "$OL_JSON" "$op" meanResTime)"  "$(m  "$DJ_JSON" "$op" meanResTime)" \
+    "$(mi "$OL_JSON" "$op" pct3ResTime)"  "$(mi "$DJ_JSON" "$op" pct3ResTime)" \
+    "$(mi "$OL_JSON" "$op" errorCount)"   "$(mi "$DJ_JSON" "$op" errorCount)"
+done
+echo ""
+
+# ---------------------------------------------------------------- Chart helpers
+# Build a Mermaid list "x, y, z" of values for all OPS from <file> <field>, via <m|mi>.
+series() { # <fn> <file> <field>
+  local fn="$1" file="$2" field="$3" out="" v
+  for op in "${OPS[@]}"; do
+    v=$("$fn" "$file" "$op" "$field")
+    out+="${out:+, }${v}"
+  done
+  printf '%s' "$out"
+}
+# x-axis with every label quoted (labels contain spaces).
+xaxis() {
+  local out="" op
+  for op in "${OPS[@]}"; do out+="${out:+, }\"${op}\""; done
+  printf '%s' "$out"
+}
+
+XAXIS="$(xaxis)"
+
+# ---------------------------------------------------------------- Throughput chart
+echo "### Comparative chart — throughput per operation (ops/s, higher is better)"
+echo ""
+echo "_First bar series = OpenLDAP, second bar series = OpenDJ._"
+echo ""
+echo '```mermaid'
+echo "xychart-beta"
+echo "    title \"Throughput per operation (ops/s) — OpenLDAP vs OpenDJ\""
+echo "    x-axis [${XAXIS}]"
+echo "    y-axis \"ops/s\""
+echo "    bar [$(series m "$OL_JSON" throughput)]"
+echo "    bar [$(series m "$DJ_JSON" throughput)]"
+echo '```'
+echo ""
+
+# ---------------------------------------------------------------- Latency chart
+echo "### Comparative chart — mean latency per operation (ms, lower is better)"
+echo ""
+echo "_First bar series = OpenLDAP, second bar series = OpenDJ._"
+echo ""
+echo '```mermaid'
+echo "xychart-beta"
+echo "    title \"Mean latency per operation (ms) — OpenLDAP vs OpenDJ\""
+echo "    x-axis [${XAXIS}]"
+echo "    y-axis \"ms\""
+echo "    bar [$(series m "$OL_JSON" meanResTime)]"
+echo "    bar [$(series m "$DJ_JSON" meanResTime)]"
+echo '```'
+echo ""
+
+# ---------------------------------------------------------------- Caveats
+echo "### Notes"
+echo ""
+echo "- \`BIND\` is the measured **user authentication** (\`test=sbind\`, single bind/unbind on its"
+echo "  own connection) as \`cn=user_<n>,ou=People\` with the password set by \`MODIFY\`. The admin"
+echo "  connection bind (\`ADMIN_CONNECT\`) is cached once per thread and excluded from these results."
+echo "- Default password storage scheme differs by server (OpenDJ PBKDF2/Salted-SHA vs OpenLDAP"
+echo "  SSHA); this is a legitimate part of authentication cost."
+echo "- Full interactive JMeter HTML dashboards are attached as the \`jmeter-reports\` artifact."
diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml
new file mode 100644
index 0000000000..77e1d09bb7
--- /dev/null
+++ b/.github/workflows/performance.yml
@@ -0,0 +1,208 @@
+# The contents of this file are subject to the terms of the Common Development and
+# Distribution License (the License). You may not use this file except in compliance with the
+# License.
+#
+# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+# specific language governing permission and limitations under the License.
+#
+# When distributing Covered Software, include this CDDL Header Notice in each file and include
+# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+# Header, with the fields enclosed by brackets [] replaced by your own identifying
+# information: "Portions copyright [year] [name of copyright owner]".
+#
+# Copyright 2026 3A Systems, LLC.
+name: Performance
+
+# LDAP benchmark: OpenDJ vs OpenLDAP.
+# Runs manually (workflow_dispatch) and automatically after the "Release" workflow completes.
+# Starts the latest OpenLDAP and OpenDJ from Docker (image tags overridable via inputs),
+# benchmarks OpenLDAP first then OpenDJ with Apache JMeter, and writes versions + comparison
+# table + comparative charts to the job summary. Full JMeter HTML dashboards are uploaded as
+# the "jmeter-reports" artifact.
+
+on:
+  workflow_dispatch:
+    inputs:
+      openldap_image:
+        description: "OpenLDAP Docker image"
+        default: "osixia/openldap:latest"
+      opendj_image:
+        description: "OpenDJ Docker image"
+        default: "openidentityplatform/opendj:latest"
+      threads:
+        description: "Concurrent JMeter threads"
+        default: "256"
+      duration:
+        description: "Test duration per server (seconds)"
+        default: "600"
+      rampup:
+        description: "Ramp-up period (seconds)"
+        default: "0"
+      jmeter_version:
+        description: "Apache JMeter version"
+        default: "5.6.3"
+  workflow_run:
+    workflows: ["Release"]
+    types: [completed]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: performance-${{ github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  benchmark:
+    # Manual runs always proceed; chained runs only after a successful Release.
+    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    env:
+      # `${{ inputs.X || 'default' }}` so workflow_run (which carries no inputs) falls back.
+      OPENLDAP_IMAGE: ${{ inputs.openldap_image || 'osixia/openldap:latest' }}
+      OPENDJ_IMAGE: ${{ inputs.opendj_image || 'openidentityplatform/opendj:latest' }}
+      THREADS: ${{ inputs.threads || '256' }}
+      DURATION: ${{ inputs.duration || '600' }}
+      RAMPUP: ${{ inputs.rampup || '0' }}
+      JMETER: ${{ inputs.jmeter_version || '5.6.3' }}
+      BENCHPW: benchPass1
+      BASEDN: dc=example,dc=com
+      # Exclude the cached admin connection bind from the dashboard / statistics.json.
+      SAMPLE_FILTER: '^(?!ADMIN_CONNECT).*'
+      HEAP: -Xms1g -Xmx2g
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Cache JMeter
+        uses: actions/cache@v4
+        with:
+          path: ~/jmeter
+          key: jmeter-${{ env.JMETER }}
+
+      - name: Install tooling (ldap-utils + JMeter)
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ldap-utils
+          if [ ! -x "$HOME/jmeter/apache-jmeter-$JMETER/bin/jmeter" ]; then
+            mkdir -p "$HOME/jmeter"
+            curl -fsSL "https://archive.apache.org/dist/jmeter/binaries/apache-jmeter-$JMETER.tgz" -o /tmp/jmeter.tgz
+            tar -xzf /tmp/jmeter.tgz -C "$HOME/jmeter"
+          fi
+          echo "JMETER_BIN=$HOME/jmeter/apache-jmeter-$JMETER/bin/jmeter" >> "$GITHUB_ENV"
+
+      - name: Start OpenLDAP
+        run: |
+          docker run -d --name openldap -p 2389:389 \
+            -e LDAP_ORGANISATION="Example" \
+            -e LDAP_DOMAIN="example.com" \
+            -e LDAP_ADMIN_PASSWORD="password" \
+            -e LDAP_TLS=false \
+            "$OPENLDAP_IMAGE"
+
+      - name: Wait for OpenLDAP + seed ou=People
+        run: |
+          for i in $(seq 1 90); do
+            if ldapsearch -x -H ldap://localhost:2389 -D "cn=admin,$BASEDN" -w password \
+                 -b "$BASEDN" -s base dn >/dev/null 2>&1; then
+              echo "OpenLDAP is up"; break
+            fi
+            sleep 2
+          done
+          ldapadd -x -H ldap://localhost:2389 -D "cn=admin,$BASEDN" -w password \
+            -f .github/performance/people.ldif || true
+
+      - name: Capture OpenLDAP version
+        run: |
+          ver="$(docker exec openldap sh -c '/usr/sbin/slapd -VV 2>&1 || slapd -VV 2>&1' | head -1)"
+          echo "OpenLDAP: $ver"
+          {
+            echo "OPENLDAP_VER<<EOF"
+            echo "$ver"
+            echo "EOF"
+          } >> "$GITHUB_ENV"
+
+      - name: Benchmark OpenLDAP
+        run: |
+          rm -rf openldap openldap.jtl
+          HEAP="$HEAP" "$JMETER_BIN" -n -t .github/performance/benchmark.jmx \
+            -Jhost=localhost -Jport=2389 \
+            -Jbasedn="$BASEDN" \
+            -Jadminbinddn="cn=admin,$BASEDN" -Jadminbindpw=password \
+            -Jbenchpw="$BENCHPW" \
+            -Jthreads="$THREADS" -Jduration="$DURATION" -Jrampup="$RAMPUP" \
+            -Jjmeter.reportgenerator.sample_filter="$SAMPLE_FILTER" \
+            -l openldap.jtl -e -o openldap
+
+      - name: Start OpenDJ
+        run: |
+          docker run -d --name opendj -p 1389:1389 \
+            -e ROOT_PASSWORD=password \
+            -e BASE_DN="$BASEDN" \
+            -e ADD_BASE_ENTRY=--addBaseEntry \
+            "$OPENDJ_IMAGE"
+
+      - name: Wait for OpenDJ + seed ou=People
+        run: |
+          for i in $(seq 1 90); do
+            if ldapsearch -x -H ldap://localhost:1389 -D "cn=Directory Manager" -w password \
+                 -b "$BASEDN" -s base dn >/dev/null 2>&1; then
+              echo "OpenDJ is up"; break
+            fi
+            sleep 2
+          done
+          ldapadd -x -H ldap://localhost:1389 -D "cn=Directory Manager" -w password \
+            -f .github/performance/people.ldif || true
+
+      - name: Capture OpenDJ version
+        run: |
+          ver="$(ldapsearch -x -LLL -H ldap://localhost:1389 -D 'cn=Directory Manager' -w password \
+                  -b '' -s base fullVendorVersion 2>/dev/null | sed -n 's/^fullVendorVersion: //p')"
+          [ -n "$ver" ] || ver="$OPENDJ_IMAGE"
+          echo "OpenDJ: $ver"
+          {
+            echo "OPENDJ_VER<<EOF"
+            echo "$ver"
+            echo "EOF"
+          } >> "$GITHUB_ENV"
+
+      - name: Benchmark OpenDJ
+        run: |
+          rm -rf opendj opendj.jtl
+          HEAP="$HEAP" "$JMETER_BIN" -n -t .github/performance/benchmark.jmx \
+            -Jhost=localhost -Jport=1389 \
+            -Jbasedn="$BASEDN" \
+            -Jadminbinddn="cn=Directory Manager" -Jadminbindpw=password \
+            -Jbenchpw="$BENCHPW" \
+            -Jthreads="$THREADS" -Jduration="$DURATION" -Jrampup="$RAMPUP" \
+            -Jjmeter.reportgenerator.sample_filter="$SAMPLE_FILTER" \
+            -l opendj.jtl -e -o opendj
+
+      # ---------------------------------------------------------------- Report
+      - name: Build job summary
+        run: |
+          bash .github/performance/summary.sh \
+            openldap/statistics.json opendj/statistics.json \
+            "$OPENLDAP_VER" "$OPENDJ_VER" \
+            "$OPENLDAP_IMAGE" "$OPENDJ_IMAGE" >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload JMeter reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: jmeter-reports
+          path: |
+            openldap/
+            opendj/
+            *.jtl
+          if-no-files-found: warn
+
+      - name: Container logs + cleanup
+        if: always()
+        run: |
+          docker logs openldap 2>&1 | tail -n 100 || true
+          docker logs opendj 2>&1 | tail -n 100 || true
+          docker rm -f openldap opendj || true

From 75c17bfaedc1288975c725926de2aa61649a7e83 Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Mon, 22 Jun 2026 12:07:38 +0300
Subject: [PATCH 02/15] Rename benchmark workflow and fix OpenLDAP
 version-capture SIGPIPE

Renames the workflow and its assets, and fixes the job failing before the
benchmark ran.

- Rename .github/workflows/performance.yml -> benchmark.yml (workflow name
  "LDAP benchmark: OpenDJ vs OpenLDAP") and .github/performance/ ->
  .github/benchmark/; update all internal paths and the concurrency group.
- Fix the "Capture OpenLDAP version" step failing with exit 141: `slapd -VV`
  piped to `head -1` got SIGPIPE when head closed the pipe early, and under
  `pipefail` that failed the whole step before any JMeter run. Capture the
  output fully and take the first line in bash, with a fallback to the image
  reference.
- Harden the OpenDJ version step the same way: guard ldapsearch with `|| true`
  so a transient bind failure cannot trip pipefail.
---
 .../{performance => benchmark}/benchmark.jmx  |  0
 .../{performance => benchmark}/people.ldif    |  0
 .github/{performance => benchmark}/summary.sh |  0
 .../{performance.yml => benchmark.yml}        | 26 ++++++++++++-------
 4 files changed, 16 insertions(+), 10 deletions(-)
 rename .github/{performance => benchmark}/benchmark.jmx (100%)
 rename .github/{performance => benchmark}/people.ldif (100%)
 rename .github/{performance => benchmark}/summary.sh (100%)
 rename .github/workflows/{performance.yml => benchmark.yml} (87%)

diff --git a/.github/performance/benchmark.jmx b/.github/benchmark/benchmark.jmx
similarity index 100%
rename from .github/performance/benchmark.jmx
rename to .github/benchmark/benchmark.jmx
diff --git a/.github/performance/people.ldif b/.github/benchmark/people.ldif
similarity index 100%
rename from .github/performance/people.ldif
rename to .github/benchmark/people.ldif
diff --git a/.github/performance/summary.sh b/.github/benchmark/summary.sh
similarity index 100%
rename from .github/performance/summary.sh
rename to .github/benchmark/summary.sh
diff --git a/.github/workflows/performance.yml b/.github/workflows/benchmark.yml
similarity index 87%
rename from .github/workflows/performance.yml
rename to .github/workflows/benchmark.yml
index 77e1d09bb7..c8b7838870 100644
--- a/.github/workflows/performance.yml
+++ b/.github/workflows/benchmark.yml
@@ -11,7 +11,7 @@
 # information: "Portions copyright [year] [name of copyright owner]".
 #
 # Copyright 2026 3A Systems, LLC.
-name: Performance
+name: "LDAP benchmark: OpenDJ vs OpenLDAP"
 
 # LDAP benchmark: OpenDJ vs OpenLDAP.
 # Runs manually (workflow_dispatch) and automatically after the "Release" workflow completes.
@@ -49,7 +49,7 @@ permissions:
   contents: read
 
 concurrency:
-  group: performance-${{ github.ref }}
+  group: benchmark-${{ github.ref }}
   cancel-in-progress: true
 
 defaults:
@@ -113,11 +113,15 @@ jobs:
             sleep 2
           done
           ldapadd -x -H ldap://localhost:2389 -D "cn=admin,$BASEDN" -w password \
-            -f .github/performance/people.ldif || true
+            -f .github/benchmark/people.ldif || true
 
       - name: Capture OpenLDAP version
         run: |
-          ver="$(docker exec openldap sh -c '/usr/sbin/slapd -VV 2>&1 || slapd -VV 2>&1' | head -1)"
+          # No `| head -1`: head closes the pipe early, slapd -VV then gets SIGPIPE and under
+          # `pipefail` fails the step with exit 141. Capture fully, take the first line in bash.
+          ver="$(docker exec openldap sh -c '/usr/sbin/slapd -VV 2>&1 || slapd -VV 2>&1' || true)"
+          ver="${ver%%$'\n'*}"
+          [ -n "$ver" ] || ver="$OPENLDAP_IMAGE"
           echo "OpenLDAP: $ver"
           {
             echo "OPENLDAP_VER<<EOF"
@@ -128,7 +132,7 @@ jobs:
       - name: Benchmark OpenLDAP
         run: |
           rm -rf openldap openldap.jtl
-          HEAP="$HEAP" "$JMETER_BIN" -n -t .github/performance/benchmark.jmx \
+          HEAP="$HEAP" "$JMETER_BIN" -n -t .github/benchmark/benchmark.jmx \
             -Jhost=localhost -Jport=2389 \
             -Jbasedn="$BASEDN" \
             -Jadminbinddn="cn=admin,$BASEDN" -Jadminbindpw=password \
@@ -155,12 +159,14 @@ jobs:
             sleep 2
           done
           ldapadd -x -H ldap://localhost:1389 -D "cn=Directory Manager" -w password \
-            -f .github/performance/people.ldif || true
+            -f .github/benchmark/people.ldif || true
 
       - name: Capture OpenDJ version
         run: |
-          ver="$(ldapsearch -x -LLL -H ldap://localhost:1389 -D 'cn=Directory Manager' -w password \
-                  -b '' -s base fullVendorVersion 2>/dev/null | sed -n 's/^fullVendorVersion: //p')"
+          # `|| true` guards the bind so a transient ldapsearch failure can't trip pipefail;
+          # sed reads all input (no early pipe close), so no SIGPIPE here.
+          ver="$( { ldapsearch -x -LLL -H ldap://localhost:1389 -D 'cn=Directory Manager' -w password \
+                    -b '' -s base fullVendorVersion 2>/dev/null || true; } | sed -n 's/^fullVendorVersion: //p')"
           [ -n "$ver" ] || ver="$OPENDJ_IMAGE"
           echo "OpenDJ: $ver"
           {
@@ -172,7 +178,7 @@ jobs:
       - name: Benchmark OpenDJ
         run: |
           rm -rf opendj opendj.jtl
-          HEAP="$HEAP" "$JMETER_BIN" -n -t .github/performance/benchmark.jmx \
+          HEAP="$HEAP" "$JMETER_BIN" -n -t .github/benchmark/benchmark.jmx \
             -Jhost=localhost -Jport=1389 \
             -Jbasedn="$BASEDN" \
             -Jadminbinddn="cn=Directory Manager" -Jadminbindpw=password \
@@ -184,7 +190,7 @@ jobs:
       # ---------------------------------------------------------------- Report
       - name: Build job summary
         run: |
-          bash .github/performance/summary.sh \
+          bash .github/benchmark/summary.sh \
             openldap/statistics.json opendj/statistics.json \
             "$OPENLDAP_VER" "$OPENDJ_VER" \
             "$OPENLDAP_IMAGE" "$OPENDJ_IMAGE" >> "$GITHUB_STEP_SUMMARY"

From f69863189e5a3bb0dd3b9ec0a9ef1a4b602a09ea Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Mon, 22 Jun 2026 12:36:49 +0300
Subject: [PATCH 03/15] Escape commas in __P(basedn) default to fix JMeter plan
 compile

The benchmark plan failed to compile with "__P called with wrong number of
parameters. Actual: 3. Expected: >= 1 and <= 2": the default value in
${__P(basedn,dc=example,dc=com)} contains commas, which JMeter's function
parser treats as extra argument separators. Escape them as
${__P(basedn,dc=example\,dc=com)} in the ADMIN_CONNECT and BIND samplers.

Without this the tree never compiled, so no statistics.json was produced and
the summary step failed on jq. Verified locally with JMeter 5.6.3: the plan
now compiles and runs, and report generation produces statistics.json.
---
 .github/benchmark/benchmark.jmx | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/benchmark/benchmark.jmx b/.github/benchmark/benchmark.jmx
index a20b94a64b..745cffc4d6 100644
--- a/.github/benchmark/benchmark.jmx
+++ b/.github/benchmark/benchmark.jmx
@@ -47,7 +47,7 @@
           <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="ADMIN_CONNECT" enabled="true">
             <stringProp name="servername">${__P(host,localhost)}</stringProp>
             <stringProp name="port">${__P(port,1389)}</stringProp>
-            <stringProp name="rootdn">ou=People,${__P(basedn,dc=example,dc=com)}</stringProp>
+            <stringProp name="rootdn">ou=People,${__P(basedn,dc=example\,dc=com)}</stringProp>
             <stringProp name="scope">2</stringProp>
             <stringProp name="countlimit"></stringProp>
             <stringProp name="timelimit"></stringProp>
@@ -223,7 +223,7 @@
         <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="BIND" enabled="true">
           <stringProp name="servername">${__P(host,localhost)}</stringProp>
           <stringProp name="port">${__P(port,1389)}</stringProp>
-          <stringProp name="rootdn">ou=People,${__P(basedn,dc=example,dc=com)}</stringProp>
+          <stringProp name="rootdn">ou=People,${__P(basedn,dc=example\,dc=com)}</stringProp>
           <stringProp name="scope">2</stringProp>
           <stringProp name="countlimit"></stringProp>
           <stringProp name="timelimit"></stringProp>
@@ -233,7 +233,7 @@
           <stringProp name="connection_timeout">60000</stringProp>
           <stringProp name="parseflag">false</stringProp>
           <stringProp name="secure">false</stringProp>
-          <stringProp name="user_dn">cn=user_${__threadNum},ou=People,${__P(basedn,dc=example,dc=com)}</stringProp>
+          <stringProp name="user_dn">cn=user_${__threadNum},ou=People,${__P(basedn,dc=example\,dc=com)}</stringProp>
           <stringProp name="user_pw">${__P(benchpw,benchPass1)}</stringProp>
           <stringProp name="comparedn"></stringProp>
           <stringProp name="comparefilt"></stringProp>

From ff93f3bf42f4e2ed6e3cd90bb7983e4754e25bae Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Mon, 22 Jun 2026 13:55:39 +0300
Subject: [PATCH 04/15] Refine LDAP benchmark: READD, SSHA-256 hashing, grouped
 charts

Five follow-up tweaks to the benchmark workflow and plan.

- Rename the "ADD WITHOUT DELETE" sampler to READD (benchmark.jmx, summary.sh OPS).
- Stop each Docker container right after its own benchmark (new Stop OpenLDAP /
  Stop OpenDJ steps) to free resources and keep only one server under load at a
  time; the final always() cleanup stays as the failure-path safety net.
- Make both servers hash passwords with the same scheme (SSHA-256), hashed
  server-side on write: MODIFY sends the password in cleartext and each server
  hashes it. OpenLDAP loads the pw-sha2 and ppolicy modules, sets
  olcPasswordHash {SSHA256} and enables the ppolicy hash-cleartext overlay on the
  mdb database; OpenDJ sets the Default Password Policy default storage scheme to
  Salted SHA-256. Each server hashes/verifies with its own implementation, so
  there is no cross-implementation hash-format dependency.
- Charts: render each operation as two adjacent, non-overlapping columns
  (OpenLDAP / OpenDJ) in different colors instead of two overlapping series, using
  an interleaved x-axis with zero-padded series and an explicit color palette
  (Mermaid xychart-beta has no grouped bars).
- Bump actions/cache@v4 -> @v5 and actions/upload-artifact@v4 -> @v7 (latest used
  elsewhere in this repo).

Validated locally with JMeter 5.6.3: the plan compiles, statistics.json carries
the READD label with ADMIN_CONNECT filtered out, summary.sh renders the two-column
charts, and actionlint passes.
---
 .github/benchmark/benchmark.jmx |  6 ++--
 .github/benchmark/summary.sh    | 53 ++++++++++++++++++------------
 .github/workflows/benchmark.yml | 57 +++++++++++++++++++++++++++------
 3 files changed, 83 insertions(+), 33 deletions(-)

diff --git a/.github/benchmark/benchmark.jmx b/.github/benchmark/benchmark.jmx
index 745cffc4d6..78f3d04041 100644
--- a/.github/benchmark/benchmark.jmx
+++ b/.github/benchmark/benchmark.jmx
@@ -17,7 +17,7 @@
 <jmeterTestPlan version="1.2" properties="5.0" jmeter="5.6.3">
   <hashTree>
     <TestPlan guiclass="TestPlanGui" testclass="TestPlan" testname="OpenDJ vs OpenLDAP - LDAP benchmark" enabled="true">
-      <stringProp name="TestPlan.comments">Parametrized LDAP benchmark. Admin bind is cached once per thread (Once Only Controller, labelled ADMIN_CONNECT, excluded from metrics). Data ops (ADD/SEARCH/COMPARE/MODIFY/DELETE/ADD WITHOUT DELETE) reuse the cached admin connection. The measured user authentication is a single bind/unbind (test=sbind, own connection) after MODIFY has set the userPassword.</stringProp>
+      <stringProp name="TestPlan.comments">Parametrized LDAP benchmark. Admin bind is cached once per thread (Once Only Controller, labelled ADMIN_CONNECT, excluded from metrics). Data ops (ADD/SEARCH/COMPARE/MODIFY/DELETE/READD) reuse the cached admin connection. The measured user authentication is a single bind/unbind (test=sbind, own connection) after MODIFY has set the userPassword.</stringProp>
       <boolProp name="TestPlan.functional_mode">false</boolProp>
       <boolProp name="TestPlan.tearDown_on_shutdown">true</boolProp>
       <boolProp name="TestPlan.serialize_threadgroups">false</boolProp>
@@ -268,8 +268,8 @@
         </LDAPExtSampler>
         <hashTree/>
 
-        <!-- ADD WITHOUT DELETE (admin connection): accumulation; unique RDN via __UUID. -->
-        <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="ADD WITHOUT DELETE" enabled="true">
+        <!-- READD (admin connection): re-add without delete (accumulation); unique RDN via __UUID. -->
+        <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="READD" enabled="true">
           <stringProp name="servername"></stringProp>
           <stringProp name="port"></stringProp>
           <stringProp name="rootdn"></stringProp>
diff --git a/.github/benchmark/summary.sh b/.github/benchmark/summary.sh
index ecac86c8de..193fb33d91 100644
--- a/.github/benchmark/summary.sh
+++ b/.github/benchmark/summary.sh
@@ -32,7 +32,7 @@ OL_IMG="${5:-}"
 DJ_IMG="${6:-}"
 
 # Operations to compare, in workflow order. ADMIN_CONNECT and Total are excluded.
-OPS=("ADD" "SEARCH" "COMPARE" "MODIFY" "BIND" "DELETE" "ADD WITHOUT DELETE")
+OPS=("ADD" "SEARCH" "COMPARE" "MODIFY" "BIND" "DELETE" "READD")
 
 # m <file> <label> <field>  -> numeric value (0 if absent), rounded to 1 decimal.
 m() { jq -r --arg l "$2" --arg f "$3" '((.[$l][$f]) // 0) | (.*10 | round / 10)' "$1"; }
@@ -85,51 +85,63 @@ done
 echo ""
 
 # ---------------------------------------------------------------- Chart helpers
-# Build a Mermaid list "x, y, z" of values for all OPS from <file> <field>, via <m|mi>.
-series() { # <fn> <file> <field>
+# Mermaid xychart-beta has no grouped bars/legend, so to get two adjacent (non-overlapping)
+# columns per operation we repeat each op on the x-axis and zero-pad the two series: OpenLDAP
+# bars land on the left tick of each pair, OpenDJ on the right tick.
+#
+# x-axis: each op twice -> "ADD", "ADD", "SEARCH", "SEARCH", ...
+xaxis_pairs() {
+  local out="" op
+  for op in "${OPS[@]}"; do out+="${out:+, }\"${op}\", \"${op}\""; done
+  printf '%s' "$out"
+}
+# OpenLDAP series: value then 0 per op (bar on the left tick of each pair).
+series_ol() { # <fn> <file> <field>
   local fn="$1" file="$2" field="$3" out="" v
-  for op in "${OPS[@]}"; do
-    v=$("$fn" "$file" "$op" "$field")
-    out+="${out:+, }${v}"
-  done
+  for op in "${OPS[@]}"; do v=$("$fn" "$file" "$op" "$field"); out+="${out:+, }${v}, 0"; done
   printf '%s' "$out"
 }
-# x-axis with every label quoted (labels contain spaces).
-xaxis() {
-  local out="" op
-  for op in "${OPS[@]}"; do out+="${out:+, }\"${op}\""; done
+# OpenDJ series: 0 then value per op (bar on the right tick of each pair).
+series_dj() { # <fn> <file> <field>
+  local fn="$1" file="$2" field="$3" out="" v
+  for op in "${OPS[@]}"; do v=$("$fn" "$file" "$op" "$field"); out+="${out:+, }0, ${v}"; done
   printf '%s' "$out"
 }
 
-XAXIS="$(xaxis)"
+XAXIS="$(xaxis_pairs)"
+# Fix the two series colors (series 1 = OpenLDAP blue, series 2 = OpenDJ orange).
+PALETTE='%%{init: {"themeVariables": {"xyChart": {"plotColorPalette": "#4e79a7, #f28e2b"}}}}%%'
+CAPTION="_Each operation has two columns: 🟦 OpenLDAP (left) · 🟧 OpenDJ (right)._"
 
 # ---------------------------------------------------------------- Throughput chart
 echo "### Comparative chart — throughput per operation (ops/s, higher is better)"
 echo ""
-echo "_First bar series = OpenLDAP, second bar series = OpenDJ._"
+echo "$CAPTION"
 echo ""
 echo '```mermaid'
+echo "$PALETTE"
 echo "xychart-beta"
 echo "    title \"Throughput per operation (ops/s) — OpenLDAP vs OpenDJ\""
 echo "    x-axis [${XAXIS}]"
 echo "    y-axis \"ops/s\""
-echo "    bar [$(series m "$OL_JSON" throughput)]"
-echo "    bar [$(series m "$DJ_JSON" throughput)]"
+echo "    bar [$(series_ol m "$OL_JSON" throughput)]"
+echo "    bar [$(series_dj m "$DJ_JSON" throughput)]"
 echo '```'
 echo ""
 
 # ---------------------------------------------------------------- Latency chart
 echo "### Comparative chart — mean latency per operation (ms, lower is better)"
 echo ""
-echo "_First bar series = OpenLDAP, second bar series = OpenDJ._"
+echo "$CAPTION"
 echo ""
 echo '```mermaid'
+echo "$PALETTE"
 echo "xychart-beta"
 echo "    title \"Mean latency per operation (ms) — OpenLDAP vs OpenDJ\""
 echo "    x-axis [${XAXIS}]"
 echo "    y-axis \"ms\""
-echo "    bar [$(series m "$OL_JSON" meanResTime)]"
-echo "    bar [$(series m "$DJ_JSON" meanResTime)]"
+echo "    bar [$(series_ol m "$OL_JSON" meanResTime)]"
+echo "    bar [$(series_dj m "$DJ_JSON" meanResTime)]"
 echo '```'
 echo ""
 
@@ -139,6 +151,7 @@ echo ""
 echo "- \`BIND\` is the measured **user authentication** (\`test=sbind\`, single bind/unbind on its"
 echo "  own connection) as \`cn=user_<n>,ou=People\` with the password set by \`MODIFY\`. The admin"
 echo "  connection bind (\`ADMIN_CONNECT\`) is cached once per thread and excluded from these results."
-echo "- Default password storage scheme differs by server (OpenDJ PBKDF2/Salted-SHA vs OpenLDAP"
-echo "  SSHA); this is a legitimate part of authentication cost."
+echo "- MODIFY sends the password in cleartext; each server hashes it on write with the **same"
+echo "  scheme (SSHA-256)** — OpenLDAP via the pw-sha2 module + ppolicy hash-cleartext, OpenDJ via"
+echo "  its Salted SHA-256 default scheme — so BIND authentication is compared on equal footing."
 echo "- Full interactive JMeter HTML dashboards are attached as the \`jmeter-reports\` artifact."
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index c8b7838870..5dff071339 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -78,7 +78,7 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Cache JMeter
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/jmeter
           key: jmeter-${{ env.JMETER }}
@@ -103,15 +103,32 @@ jobs:
             -e LDAP_TLS=false \
             "$OPENLDAP_IMAGE"
 
-      - name: Wait for OpenLDAP + seed ou=People
+      - name: Configure OpenLDAP (SSHA-256 hash-on-write, seed)
         run: |
-          for i in $(seq 1 90); do
-            if ldapsearch -x -H ldap://localhost:2389 -D "cn=admin,$BASEDN" -w password \
-                 -b "$BASEDN" -s base dn >/dev/null 2>&1; then
-              echo "OpenLDAP is up"; break
-            fi
-            sleep 2
-          done
+          wait_ldap() {
+            for i in $(seq 1 90); do
+              ldapsearch -x -H ldap://localhost:2389 -D "cn=admin,$BASEDN" -w password \
+                -b "$BASEDN" -s base dn >/dev/null 2>&1 && { echo "OpenLDAP is up"; return 0; }
+              sleep 2
+            done
+          }
+          le() { docker exec -i openldap "$@" -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 || true; }
+          wait_ldap
+          # Load pw-sha2 (provides {SSHA256}) and ppolicy (overlay) modules; osixia ships both
+          # in /usr/lib/ldap. Create the module list entry or append the values, then restart so
+          # the modules are active in the running slapd.
+          printf 'dn: cn=module{0},cn=config\nobjectClass: olcModuleList\nolcModuleLoad: pw-sha2\nolcModuleLoad: ppolicy\n' | le ldapadd
+          printf 'dn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: pw-sha2\n' | le ldapmodify
+          printf 'dn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: ppolicy\n' | le ldapmodify
+          docker restart openldap
+          wait_ldap
+          # Make slapd hash cleartext userPassword with {SSHA256} on a plain modify: set the global
+          # password-hash and enable the ppolicy overlay's hash_cleartext on the mdb database.
+          printf 'dn: olcDatabase={-1}frontend,cn=config\nchangetype: modify\nreplace: olcPasswordHash\nolcPasswordHash: {SSHA256}\n' | le ldapmodify
+          DBDN="$(docker exec openldap ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b cn=config '(olcDatabase=*mdb)' dn 2>/dev/null | sed -n 's/^dn: //p' | head -1)"
+          [ -n "$DBDN" ] || DBDN="olcDatabase={1}mdb,cn=config"
+          printf 'dn: olcOverlay=ppolicy,%s\nobjectClass: olcOverlayConfig\nobjectClass: olcPPolicyConfig\nolcOverlay: ppolicy\nolcPPolicyHashCleartext: TRUE\n' "$DBDN" | le ldapadd
+          # Seed ou=People (after the restart so it survives any re-init).
           ldapadd -x -H ldap://localhost:2389 -D "cn=admin,$BASEDN" -w password \
             -f .github/benchmark/people.ldif || true
 
@@ -141,6 +158,11 @@ jobs:
             -Jjmeter.reportgenerator.sample_filter="$SAMPLE_FILTER" \
             -l openldap.jtl -e -o openldap
 
+      - name: Stop OpenLDAP
+        run: |
+          docker logs openldap 2>&1 | tail -n 100 || true
+          docker rm -f openldap || true
+
       - name: Start OpenDJ
         run: |
           docker run -d --name opendj -p 1389:1389 \
@@ -161,6 +183,16 @@ jobs:
           ldapadd -x -H ldap://localhost:1389 -D "cn=Directory Manager" -w password \
             -f .github/benchmark/people.ldif || true
 
+      - name: Configure OpenDJ password policy (SSHA-256 hash-on-write)
+        run: |
+          # Hash cleartext userPassword with Salted SHA-256 on write, matching OpenLDAP.
+          docker exec opendj /opt/opendj/bin/dsconfig set-password-policy-prop \
+            --policy-name "Default Password Policy" \
+            --set default-password-storage-scheme:"Salted SHA-256" \
+            --hostname localhost --port 4444 \
+            --bindDN "cn=Directory Manager" --bindPassword password \
+            --trustAll --no-prompt
+
       - name: Capture OpenDJ version
         run: |
           # `|| true` guards the bind so a transient ldapsearch failure can't trip pipefail;
@@ -187,6 +219,11 @@ jobs:
             -Jjmeter.reportgenerator.sample_filter="$SAMPLE_FILTER" \
             -l opendj.jtl -e -o opendj
 
+      - name: Stop OpenDJ
+        run: |
+          docker logs opendj 2>&1 | tail -n 100 || true
+          docker rm -f opendj || true
+
       # ---------------------------------------------------------------- Report
       - name: Build job summary
         run: |
@@ -197,7 +234,7 @@ jobs:
 
       - name: Upload JMeter reports
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: jmeter-reports
           path: |

From 9a666b7b8658ddc9ebaae3c7588c06a9e9155309 Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Mon, 22 Jun 2026 14:43:34 +0300
Subject: [PATCH 05/15] Fix benchmark charts: non-overlapping columns and total
 throughput

Two report fixes in summary.sh.

- Make the per-operation columns actually render side by side. xychart-beta
  merges duplicate x-axis category labels into one slot, so the previous
  "ADD","ADD" axis collapsed both series back onto a single column and the
  OpenLDAP/OpenDJ bars overlapped. Use distinct labels ("ADD OL","ADD DJ", ...)
  so the zero-padded series stay on separate columns.
- Replace per-operation throughput with a single total-throughput comparison.
  In a sequential loop every operation runs once per iteration, so per-op
  throughput just equals the loop rate (nearly identical across ops, which
  looked wrong). The per-operation table now shows latency only (mean/p99/
  errors); a two-bar chart shows total OpenLDAP vs OpenDJ throughput, with a
  note explaining why per-op throughput is not charted.

Verified by rendering the report from the real run's statistics.json artifacts.
---
 .github/benchmark/summary.sh | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/.github/benchmark/summary.sh b/.github/benchmark/summary.sh
index 193fb33d91..04ed38401b 100644
--- a/.github/benchmark/summary.sh
+++ b/.github/benchmark/summary.sh
@@ -70,14 +70,13 @@ echo "| **OpenDJ** | ${dj_tot_tp} | ${dj_tot_mean} | ${dj_tot_n} | ${dj_tot_e} |
 echo ""
 
 # ---------------------------------------------------------------- Per-op table
-echo "### Per-operation comparison"
+echo "### Per-operation latency"
 echo ""
-echo "| Operation | ops/s OpenLDAP | ops/s OpenDJ | mean ms OpenLDAP | mean ms OpenDJ | p99 ms OpenLDAP | p99 ms OpenDJ | err OL | err DJ |"
-echo "|---|--:|--:|--:|--:|--:|--:|--:|--:|"
+echo "| Operation | mean ms OpenLDAP | mean ms OpenDJ | p99 ms OpenLDAP | p99 ms OpenDJ | err OL | err DJ |"
+echo "|---|--:|--:|--:|--:|--:|--:|"
 for op in "${OPS[@]}"; do
-  printf '| %s | %s | %s | %s | %s | %s | %s | %s | %s |\n' \
+  printf '| %s | %s | %s | %s | %s | %s | %s |\n' \
     "$op" \
-    "$(m  "$OL_JSON" "$op" throughput)"   "$(m  "$DJ_JSON" "$op" throughput)" \
     "$(m  "$OL_JSON" "$op" meanResTime)"  "$(m  "$DJ_JSON" "$op" meanResTime)" \
     "$(mi "$OL_JSON" "$op" pct3ResTime)"  "$(mi "$DJ_JSON" "$op" pct3ResTime)" \
     "$(mi "$OL_JSON" "$op" errorCount)"   "$(mi "$DJ_JSON" "$op" errorCount)"
@@ -89,10 +88,13 @@ echo ""
 # columns per operation we repeat each op on the x-axis and zero-pad the two series: OpenLDAP
 # bars land on the left tick of each pair, OpenDJ on the right tick.
 #
-# x-axis: each op twice -> "ADD", "ADD", "SEARCH", "SEARCH", ...
+# x-axis: each op as two *distinct* labels -> "ADD OL", "ADD DJ", "SEARCH OL", ...
+# The labels MUST be unique: xychart-beta merges duplicate category labels into one slot, which
+# would put both series back on the same column (overlapping). Distinct labels keep the columns
+# separate so the zero-padded series render side by side.
 xaxis_pairs() {
   local out="" op
-  for op in "${OPS[@]}"; do out+="${out:+, }\"${op}\", \"${op}\""; done
+  for op in "${OPS[@]}"; do out+="${out:+, }\"${op} OL\", \"${op} DJ\""; done
   printf '%s' "$out"
 }
 # OpenLDAP series: value then 0 per op (bar on the left tick of each pair).
@@ -113,19 +115,21 @@ XAXIS="$(xaxis_pairs)"
 PALETTE='%%{init: {"themeVariables": {"xyChart": {"plotColorPalette": "#4e79a7, #f28e2b"}}}}%%'
 CAPTION="_Each operation has two columns: 🟦 OpenLDAP (left) · 🟧 OpenDJ (right)._"
 
-# ---------------------------------------------------------------- Throughput chart
-echo "### Comparative chart — throughput per operation (ops/s, higher is better)"
+# ---------------------------------------------------------------- Total throughput chart
+echo "### Total throughput (ops/s, higher is better)"
 echo ""
-echo "$CAPTION"
+echo "_🟦 OpenLDAP · 🟧 OpenDJ. Per-operation throughput is intentionally not charted: every"
+echo "operation runs once per loop iteration, so each op's throughput just equals the loop rate"
+echo "(nearly identical across ops). The meaningful throughput is the aggregate shown here._"
 echo ""
 echo '```mermaid'
 echo "$PALETTE"
 echo "xychart-beta"
-echo "    title \"Throughput per operation (ops/s) — OpenLDAP vs OpenDJ\""
-echo "    x-axis [${XAXIS}]"
+echo "    title \"Total throughput (ops/s) — OpenLDAP vs OpenDJ\""
+echo "    x-axis [\"OpenLDAP\", \"OpenDJ\"]"
 echo "    y-axis \"ops/s\""
-echo "    bar [$(series_ol m "$OL_JSON" throughput)]"
-echo "    bar [$(series_dj m "$DJ_JSON" throughput)]"
+echo "    bar [${ol_tot_tp}, 0]"
+echo "    bar [0, ${dj_tot_tp}]"
 echo '```'
 echo ""
 

From 3c9705f1f7622153fc9cd114ba10a3fcdf938d64 Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Mon, 22 Jun 2026 14:47:08 +0300
Subject: [PATCH 06/15] Fix benchmark charts: non-overlapping columns and total
 throughput

Two report fixes in summary.sh.

- Make the per-operation columns actually render side by side. xychart-beta
  merges duplicate x-axis category labels into one slot, so the previous
  "ADD","ADD" axis collapsed both series back onto a single column and the
  OpenLDAP/OpenDJ bars overlapped. Use distinct labels ("ADD OL","ADD DJ", ...)
  so the zero-padded series stay on separate columns.
- Replace per-operation throughput with a single total-throughput comparison.
  In a sequential loop every operation runs once per iteration, so per-op
  throughput just equals the loop rate (nearly identical across ops, which
  looked wrong). The per-operation table now shows latency only (mean/p99/
  errors); a two-bar chart shows total OpenLDAP vs OpenDJ throughput, with a
  note explaining why per-op throughput is not charted.

Verified by rendering the report from the real run's statistics.json artifacts.
---
 .github/benchmark/summary.sh    | 2 +-
 .github/workflows/benchmark.yml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/benchmark/summary.sh b/.github/benchmark/summary.sh
index 04ed38401b..a8b251888e 100644
--- a/.github/benchmark/summary.sh
+++ b/.github/benchmark/summary.sh
@@ -39,7 +39,7 @@ m() { jq -r --arg l "$2" --arg f "$3" '((.[$l][$f]) // 0) | (.*10 | round / 10)'
 # mi <file> <label> <field> -> integer value (0 if absent).
 mi() { jq -r --arg l "$2" --arg f "$3" '((.[$l][$f]) // 0) | round' "$1"; }
 
-echo "## 🔬 LDAP Benchmark — OpenDJ vs OpenLDAP"
+echo "## 🔬 Benchmark: OpenDJ vs OpenLDAP"
 echo ""
 
 # ---------------------------------------------------------------- Versions
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 5dff071339..d01d019f5a 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -11,9 +11,9 @@
 # information: "Portions copyright [year] [name of copyright owner]".
 #
 # Copyright 2026 3A Systems, LLC.
-name: "LDAP benchmark: OpenDJ vs OpenLDAP"
+name: "Benchmark"
 
-# LDAP benchmark: OpenDJ vs OpenLDAP.
+# Benchmark: OpenDJ vs OpenLDAP.
 # Runs manually (workflow_dispatch) and automatically after the "Release" workflow completes.
 # Starts the latest OpenLDAP and OpenDJ from Docker (image tags overridable via inputs),
 # benchmarks OpenLDAP first then OpenDJ with Apache JMeter, and writes versions + comparison

From 82016da7b8049db5b02f3f70b00a5c7aedeb4226 Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Mon, 22 Jun 2026 15:32:20 +0300
Subject: [PATCH 07/15] Benchmark: search on indexed mail, unique entries,
 QuickChart charts

benchmark.jmx
- SEARCH now filters on `mail` instead of `sn`. mail is equality-indexed by
  default on BOTH OpenDJ and OpenLDAP/osixia, whereas sn is indexed on OpenDJ
  only, so the search becomes a real indexed lookup on both servers.
- Every created value is unique: ADD keys each entry by a per-iteration JMeter
  counter, READD by a UUID. The search now matches exactly one entry, and the
  accumulated (never-deleted) READD entries no longer inflate the result set.
- Entries are minimal and index-symmetric: RDN is mail, objectClass is
  top/locality/extensibleObject, and no cn/sn/uid/givenName/telephoneNumber/
  member/uniqueMember are stored (those are indexed on OpenDJ but not osixia,
  which would bias the write cost). MODIFY writes description + userPassword.

summary.sh
- Replace the Mermaid xychart-beta charts with QuickChart (Chart.js) grouped bar
  charts rendered as images: proper side-by-side OpenLDAP/OpenDJ bars per
  operation, a legend, readable labels and no overlap. xychart-beta cannot group
  bars or show a legend and crowded the 14 x-axis labels. Throughput is a two-bar
  chart; latency is grouped bars per operation. Config is built with jq and
  URL-encoded.
---
 .github/benchmark/benchmark.jmx | 83 ++++++++++++++++-----------------
 .github/benchmark/summary.sh    | 74 ++++++++++-------------------
 2 files changed, 63 insertions(+), 94 deletions(-)

diff --git a/.github/benchmark/benchmark.jmx b/.github/benchmark/benchmark.jmx
index 78f3d04041..07aed73fa3 100644
--- a/.github/benchmark/benchmark.jmx
+++ b/.github/benchmark/benchmark.jmx
@@ -17,7 +17,7 @@
 <jmeterTestPlan version="1.2" properties="5.0" jmeter="5.6.3">
   <hashTree>
     <TestPlan guiclass="TestPlanGui" testclass="TestPlan" testname="OpenDJ vs OpenLDAP - LDAP benchmark" enabled="true">
-      <stringProp name="TestPlan.comments">Parametrized LDAP benchmark. Admin bind is cached once per thread (Once Only Controller, labelled ADMIN_CONNECT, excluded from metrics). Data ops (ADD/SEARCH/COMPARE/MODIFY/DELETE/READD) reuse the cached admin connection. The measured user authentication is a single bind/unbind (test=sbind, own connection) after MODIFY has set the userPassword.</stringProp>
+      <stringProp name="TestPlan.comments">Parametrized LDAP benchmark. Admin bind is cached once per thread (Once Only Controller, labelled ADMIN_CONNECT, excluded from metrics). Data ops (ADD/SEARCH/COMPARE/MODIFY/DELETE/READD) reuse the cached admin connection. Entries use mail as the naming/searchable attribute (equality-indexed by default on BOTH OpenDJ and OpenLDAP/osixia); no cn/sn/uid/givenName/telephoneNumber/member/uniqueMember are stored (those are indexed on OpenDJ but not osixia, which would bias the write cost). Every created value is unique: ADD uses a per-iteration counter, READD uses a UUID. The measured user authentication is a single bind/unbind (test=sbind, own connection) after MODIFY has set the userPassword.</stringProp>
       <boolProp name="TestPlan.functional_mode">false</boolProp>
       <boolProp name="TestPlan.tearDown_on_shutdown">true</boolProp>
       <boolProp name="TestPlan.serialize_threadgroups">false</boolProp>
@@ -40,6 +40,20 @@
         <stringProp name="ThreadGroup.delay"></stringProp>
       </ThreadGroup>
       <hashTree>
+        <!-- Per-thread, per-iteration counter. Combined with ${__threadNum} it yields a value
+             unique across the whole run; it stays constant within a single loop iteration so the
+             same entry is referenced by ADD/SEARCH/COMPARE/MODIFY/BIND/DELETE. -->
+        <CounterConfig guiclass="CounterConfigGui" testclass="CounterConfig" testname="Per-iteration counter" enabled="true">
+          <stringProp name="CounterConfig.start">1</stringProp>
+          <stringProp name="CounterConfig.end"></stringProp>
+          <stringProp name="CounterConfig.incr">1</stringProp>
+          <stringProp name="CounterConfig.name">iter</stringProp>
+          <stringProp name="CounterConfig.format"></stringProp>
+          <boolProp name="CounterConfig.per_user">true</boolProp>
+          <boolProp name="CounterConfig.reset_on_tg_iteration">false</boolProp>
+        </CounterConfig>
+        <hashTree/>
+
         <!-- Admin connection: bound once per thread, cached in ldapContexts[thread], reused by all
              data operations. Labelled ADMIN_CONNECT and excluded from metrics. -->
         <OnceOnlyController guiclass="OnceOnlyControllerGui" testclass="OnceOnlyController" testname="Once Only - admin connect" enabled="true"/>
@@ -68,7 +82,7 @@
           <hashTree/>
         </hashTree>
 
-        <!-- ADD (admin connection): create the per-thread user entry. -->
+        <!-- ADD (admin connection): create the per-iteration user entry, keyed by mail. -->
         <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="ADD" enabled="true">
           <stringProp name="servername"></stringProp>
           <stringProp name="port"></stringProp>
@@ -89,17 +103,12 @@
           <stringProp name="modddn"></stringProp>
           <stringProp name="newdn"></stringProp>
           <stringProp name="test">add</stringProp>
-          <stringProp name="base_entry_dn">cn=user_${__threadNum}</stringProp>
+          <stringProp name="base_entry_dn">mail=u_${__threadNum}_${iter}@test.com</stringProp>
           <elementProp name="arguments" elementType="Arguments" guiclass="ArgumentsPanel" testclass="Arguments" testname="User Defined Variables" enabled="true">
             <collectionProp name="Arguments.arguments">
-              <elementProp name="sn" elementType="Argument">
-                <stringProp name="Argument.name">sn</stringProp>
-                <stringProp name="Argument.value">user_${__threadNum}</stringProp>
-                <stringProp name="Argument.metadata">=</stringProp>
-              </elementProp>
               <elementProp name="mail" elementType="Argument">
                 <stringProp name="Argument.name">mail</stringProp>
-                <stringProp name="Argument.value">user_${__threadNum}@test.com</stringProp>
+                <stringProp name="Argument.value">u_${__threadNum}_${iter}@test.com</stringProp>
                 <stringProp name="Argument.metadata">=</stringProp>
               </elementProp>
               <elementProp name="objectClass" elementType="Argument">
@@ -109,17 +118,12 @@
               </elementProp>
               <elementProp name="objectClass" elementType="Argument">
                 <stringProp name="Argument.name">objectClass</stringProp>
-                <stringProp name="Argument.value">inetOrgPerson</stringProp>
-                <stringProp name="Argument.metadata">=</stringProp>
-              </elementProp>
-              <elementProp name="objectClass" elementType="Argument">
-                <stringProp name="Argument.name">objectClass</stringProp>
-                <stringProp name="Argument.value">organizationalPerson</stringProp>
+                <stringProp name="Argument.value">locality</stringProp>
                 <stringProp name="Argument.metadata">=</stringProp>
               </elementProp>
               <elementProp name="objectClass" elementType="Argument">
                 <stringProp name="Argument.name">objectClass</stringProp>
-                <stringProp name="Argument.value">person</stringProp>
+                <stringProp name="Argument.value">extensibleObject</stringProp>
                 <stringProp name="Argument.metadata">=</stringProp>
               </elementProp>
             </collectionProp>
@@ -127,7 +131,7 @@
         </LDAPExtSampler>
         <hashTree/>
 
-        <!-- SEARCH (admin connection). -->
+        <!-- SEARCH (admin connection): equality lookup on the indexed mail attribute. -->
         <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="SEARCH" enabled="true">
           <stringProp name="servername"></stringProp>
           <stringProp name="port"></stringProp>
@@ -135,7 +139,7 @@
           <stringProp name="scope">2</stringProp>
           <stringProp name="countlimit">0</stringProp>
           <stringProp name="timelimit">0</stringProp>
-          <stringProp name="attributes">cn:dn:objectClass</stringProp>
+          <stringProp name="attributes">mail:dn:objectClass</stringProp>
           <stringProp name="return_object">false</stringProp>
           <stringProp name="deref_aliases">false</stringProp>
           <stringProp name="connection_timeout"></stringProp>
@@ -149,7 +153,7 @@
           <stringProp name="newdn"></stringProp>
           <stringProp name="test">search</stringProp>
           <stringProp name="search"></stringProp>
-          <stringProp name="searchfilter">(sn=user_${__threadNum})</stringProp>
+          <stringProp name="searchfilter">(mail=u_${__threadNum}_${iter}@test.com)</stringProp>
         </LDAPExtSampler>
         <hashTree/>
 
@@ -169,15 +173,16 @@
           <stringProp name="secure">false</stringProp>
           <stringProp name="user_dn"></stringProp>
           <stringProp name="user_pw"></stringProp>
-          <stringProp name="comparedn">cn=user_${__threadNum}</stringProp>
-          <stringProp name="comparefilt">mail=user_${__threadNum}@test.com</stringProp>
+          <stringProp name="comparedn">mail=u_${__threadNum}_${iter}@test.com</stringProp>
+          <stringProp name="comparefilt">mail=u_${__threadNum}_${iter}@test.com</stringProp>
           <stringProp name="modddn"></stringProp>
           <stringProp name="newdn"></stringProp>
           <stringProp name="test">compare</stringProp>
         </LDAPExtSampler>
         <hashTree/>
 
-        <!-- MODIFY (admin connection): rename sn and set userPassword so the user can authenticate. -->
+        <!-- MODIFY (admin connection): write a normal attribute (description) and set userPassword
+             (cleartext) so the server hashes it; the user then authenticates with it (sbind). -->
         <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="MODIFY" enabled="true">
           <stringProp name="servername"></stringProp>
           <stringProp name="port"></stringProp>
@@ -198,12 +203,12 @@
           <stringProp name="modddn"></stringProp>
           <stringProp name="newdn"></stringProp>
           <stringProp name="test">modify</stringProp>
-          <stringProp name="base_entry_dn">cn=user_${__threadNum}</stringProp>
+          <stringProp name="base_entry_dn">mail=u_${__threadNum}_${iter}@test.com</stringProp>
           <elementProp name="ldaparguments" elementType="LDAPArguments" guiclass="LDAPArgumentsPanel" testclass="LDAPArguments" testname="LDAP Extended Request Defaults" enabled="true">
             <collectionProp name="Arguments.arguments">
-              <elementProp name="sn" elementType="LDAPArgument">
-                <stringProp name="Argument.name">sn</stringProp>
-                <stringProp name="Argument.value">rename_${__threadNum}</stringProp>
+              <elementProp name="description" elementType="LDAPArgument">
+                <stringProp name="Argument.name">description</stringProp>
+                <stringProp name="Argument.value">mod_${__threadNum}_${iter}</stringProp>
                 <stringProp name="Argument.opcode">replace</stringProp>
                 <stringProp name="Argument.metadata">=</stringProp>
               </elementProp>
@@ -233,7 +238,7 @@
           <stringProp name="connection_timeout">60000</stringProp>
           <stringProp name="parseflag">false</stringProp>
           <stringProp name="secure">false</stringProp>
-          <stringProp name="user_dn">cn=user_${__threadNum},ou=People,${__P(basedn,dc=example\,dc=com)}</stringProp>
+          <stringProp name="user_dn">mail=u_${__threadNum}_${iter}@test.com,ou=People,${__P(basedn,dc=example\,dc=com)}</stringProp>
           <stringProp name="user_pw">${__P(benchpw,benchPass1)}</stringProp>
           <stringProp name="comparedn"></stringProp>
           <stringProp name="comparefilt"></stringProp>
@@ -243,7 +248,7 @@
         </LDAPExtSampler>
         <hashTree/>
 
-        <!-- DELETE (admin connection): remove the per-thread user entry. -->
+        <!-- DELETE (admin connection): remove the per-iteration entry. -->
         <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="DELETE" enabled="true">
           <stringProp name="servername"></stringProp>
           <stringProp name="port"></stringProp>
@@ -264,11 +269,11 @@
           <stringProp name="modddn"></stringProp>
           <stringProp name="newdn"></stringProp>
           <stringProp name="test">delete</stringProp>
-          <stringProp name="delete">cn=user_${__threadNum}</stringProp>
+          <stringProp name="delete">mail=u_${__threadNum}_${iter}@test.com</stringProp>
         </LDAPExtSampler>
         <hashTree/>
 
-        <!-- READD (admin connection): re-add without delete (accumulation); unique RDN via __UUID. -->
+        <!-- READD (admin connection): accumulation; globally unique mail via __UUID, never deleted. -->
         <LDAPExtSampler guiclass="LdapExtTestSamplerGui" testclass="LDAPExtSampler" testname="READD" enabled="true">
           <stringProp name="servername"></stringProp>
           <stringProp name="port"></stringProp>
@@ -289,17 +294,12 @@
           <stringProp name="modddn"></stringProp>
           <stringProp name="newdn"></stringProp>
           <stringProp name="test">add</stringProp>
-          <stringProp name="base_entry_dn">cn=user_${__threadNum}_${__UUID}</stringProp>
+          <stringProp name="base_entry_dn">mail=u_${__UUID}@test.com</stringProp>
           <elementProp name="arguments" elementType="Arguments" guiclass="ArgumentsPanel" testclass="Arguments" testname="User Defined Variables" enabled="true">
             <collectionProp name="Arguments.arguments">
-              <elementProp name="sn" elementType="Argument">
-                <stringProp name="Argument.name">sn</stringProp>
-                <stringProp name="Argument.value">user_${__threadNum}</stringProp>
-                <stringProp name="Argument.metadata">=</stringProp>
-              </elementProp>
               <elementProp name="mail" elementType="Argument">
                 <stringProp name="Argument.name">mail</stringProp>
-                <stringProp name="Argument.value">user_${__threadNum}@test.com</stringProp>
+                <stringProp name="Argument.value">u_${__UUID}@test.com</stringProp>
                 <stringProp name="Argument.metadata">=</stringProp>
               </elementProp>
               <elementProp name="objectClass" elementType="Argument">
@@ -309,17 +309,12 @@
               </elementProp>
               <elementProp name="objectClass" elementType="Argument">
                 <stringProp name="Argument.name">objectClass</stringProp>
-                <stringProp name="Argument.value">inetOrgPerson</stringProp>
-                <stringProp name="Argument.metadata">=</stringProp>
-              </elementProp>
-              <elementProp name="objectClass" elementType="Argument">
-                <stringProp name="Argument.name">objectClass</stringProp>
-                <stringProp name="Argument.value">organizationalPerson</stringProp>
+                <stringProp name="Argument.value">locality</stringProp>
                 <stringProp name="Argument.metadata">=</stringProp>
               </elementProp>
               <elementProp name="objectClass" elementType="Argument">
                 <stringProp name="Argument.name">objectClass</stringProp>
-                <stringProp name="Argument.value">person</stringProp>
+                <stringProp name="Argument.value">extensibleObject</stringProp>
                 <stringProp name="Argument.metadata">=</stringProp>
               </elementProp>
             </collectionProp>
diff --git a/.github/benchmark/summary.sh b/.github/benchmark/summary.sh
index a8b251888e..6b5cbd8d3f 100644
--- a/.github/benchmark/summary.sh
+++ b/.github/benchmark/summary.sh
@@ -83,70 +83,44 @@ for op in "${OPS[@]}"; do
 done
 echo ""
 
-# ---------------------------------------------------------------- Chart helpers
-# Mermaid xychart-beta has no grouped bars/legend, so to get two adjacent (non-overlapping)
-# columns per operation we repeat each op on the x-axis and zero-pad the two series: OpenLDAP
-# bars land on the left tick of each pair, OpenDJ on the right tick.
-#
-# x-axis: each op as two *distinct* labels -> "ADD OL", "ADD DJ", "SEARCH OL", ...
-# The labels MUST be unique: xychart-beta merges duplicate category labels into one slot, which
-# would put both series back on the same column (overlapping). Distinct labels keep the columns
-# separate so the zero-padded series render side by side.
-xaxis_pairs() {
+# ---------------------------------------------------------------- Chart helpers (QuickChart)
+# Mermaid xychart-beta can't do grouped bars / a legend and crowds 14 x-labels, so render proper
+# grouped bar charts via QuickChart (Chart.js) as images: https://quickchart.io/chart?c=<config>.
+OL_COLOR="#4e79a7"   # blue   = OpenLDAP
+DJ_COLOR="#f28e2b"   # orange = OpenDJ
+
+# JSON array of the OPS labels: ["ADD","SEARCH",...].
+labels_json() {
   local out="" op
-  for op in "${OPS[@]}"; do out+="${out:+, }\"${op} OL\", \"${op} DJ\""; done
-  printf '%s' "$out"
+  for op in "${OPS[@]}"; do out+="${out:+,}\"${op}\""; done
+  printf '[%s]' "$out"
 }
-# OpenLDAP series: value then 0 per op (bar on the left tick of each pair).
-series_ol() { # <fn> <file> <field>
+# Comma-joined values for all OPS from <file> <field> via the <m> helper.
+vals() { # <fn> <file> <field>
   local fn="$1" file="$2" field="$3" out="" v
-  for op in "${OPS[@]}"; do v=$("$fn" "$file" "$op" "$field"); out+="${out:+, }${v}, 0"; done
+  for op in "${OPS[@]}"; do v=$("$fn" "$file" "$op" "$field"); out+="${out:+,}${v}"; done
   printf '%s' "$out"
 }
-# OpenDJ series: 0 then value per op (bar on the right tick of each pair).
-series_dj() { # <fn> <file> <field>
-  local fn="$1" file="$2" field="$3" out="" v
-  for op in "${OPS[@]}"; do v=$("$fn" "$file" "$op" "$field"); out+="${out:+, }0, ${v}"; done
-  printf '%s' "$out"
-}
-
-XAXIS="$(xaxis_pairs)"
-# Fix the two series colors (series 1 = OpenLDAP blue, series 2 = OpenDJ orange).
-PALETTE='%%{init: {"themeVariables": {"xyChart": {"plotColorPalette": "#4e79a7, #f28e2b"}}}}%%'
-CAPTION="_Each operation has two columns: 🟦 OpenLDAP (left) · 🟧 OpenDJ (right)._"
+urienc() { jq -rn --arg s "$1" '$s|@uri'; }                       # URL-encode the chart config
+qc() { printf 'https://quickchart.io/chart?w=%s&h=%s&c=%s' "$1" "$2" "$(urienc "$3")"; }
 
 # ---------------------------------------------------------------- Total throughput chart
 echo "### Total throughput (ops/s, higher is better)"
 echo ""
-echo "_🟦 OpenLDAP · 🟧 OpenDJ. Per-operation throughput is intentionally not charted: every"
-echo "operation runs once per loop iteration, so each op's throughput just equals the loop rate"
-echo "(nearly identical across ops). The meaningful throughput is the aggregate shown here._"
+echo "_Per-operation throughput is not charted: every op runs once per loop iteration, so each"
+echo "op's throughput just equals the loop rate. The meaningful throughput is the aggregate._"
 echo ""
-echo '```mermaid'
-echo "$PALETTE"
-echo "xychart-beta"
-echo "    title \"Total throughput (ops/s) — OpenLDAP vs OpenDJ\""
-echo "    x-axis [\"OpenLDAP\", \"OpenDJ\"]"
-echo "    y-axis \"ops/s\""
-echo "    bar [${ol_tot_tp}, 0]"
-echo "    bar [0, ${dj_tot_tp}]"
-echo '```'
+TP_CFG="{\"type\":\"bar\",\"data\":{\"labels\":[\"OpenLDAP\",\"OpenDJ\"],\"datasets\":[{\"label\":\"ops/s\",\"backgroundColor\":[\"$OL_COLOR\",\"$DJ_COLOR\"],\"data\":[${ol_tot_tp},${dj_tot_tp}]}]},\"options\":{\"legend\":{\"display\":false},\"title\":{\"display\":true,\"text\":\"Total throughput (ops/s)\"}}}"
+echo "![Total throughput (ops/s)]($(qc 500 320 "$TP_CFG"))"
 echo ""
 
-# ---------------------------------------------------------------- Latency chart
-echo "### Comparative chart — mean latency per operation (ms, lower is better)"
+# ---------------------------------------------------------------- Latency chart (grouped bars)
+echo "### Mean latency per operation (ms, lower is better)"
 echo ""
-echo "$CAPTION"
+echo "_🟦 OpenLDAP · 🟧 OpenDJ — grouped bars per operation._"
 echo ""
-echo '```mermaid'
-echo "$PALETTE"
-echo "xychart-beta"
-echo "    title \"Mean latency per operation (ms) — OpenLDAP vs OpenDJ\""
-echo "    x-axis [${XAXIS}]"
-echo "    y-axis \"ms\""
-echo "    bar [$(series_ol m "$OL_JSON" meanResTime)]"
-echo "    bar [$(series_dj m "$DJ_JSON" meanResTime)]"
-echo '```'
+LAT_CFG="{\"type\":\"bar\",\"data\":{\"labels\":$(labels_json),\"datasets\":[{\"label\":\"OpenLDAP\",\"backgroundColor\":\"$OL_COLOR\",\"data\":[$(vals m "$OL_JSON" meanResTime)]},{\"label\":\"OpenDJ\",\"backgroundColor\":\"$DJ_COLOR\",\"data\":[$(vals m "$DJ_JSON" meanResTime)]}]},\"options\":{\"title\":{\"display\":true,\"text\":\"Mean latency per operation (ms)\"}}}"
+echo "![Mean latency per operation (ms)]($(qc 900 400 "$LAT_CFG"))"
 echo ""
 
 # ---------------------------------------------------------------- Caveats

From af83007d1fd2f906a8aefa3e7c33a1de1f471437 Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Mon, 22 Jun 2026 16:26:17 +0300
Subject: [PATCH 08/15] Benchmark: lighter default load, log-scale latency,
 per-server log artifacts

- Lower the default load to 128 threads / 300s (was 256 / 600), in the workflow
  inputs and env fallbacks and in the JMX __P defaults.
- Latency chart: switch the Y axis to logarithmic so the small per-operation
  values stay readable next to the large ones (e.g. OpenLDAP BIND).
- Capture server logs and upload them as two per-server artifacts. Each Stop step
  (if: always(), so logs are kept on failure too) now saves the container's
  `docker logs` to <server>/server.log and copies the in-container log directory
  (OpenDJ /opt/opendj/data/logs -> opendj/internal; OpenLDAP /var/log ->
  openldap/var-log). Uploaded as artifacts logs-opendj and logs-openldap.
- Set retention-days: 90 on all artifacts (jmeter-reports, logs-openldap,
  logs-opendj).
---
 .github/benchmark/benchmark.jmx |  4 +--
 .github/benchmark/summary.sh    |  7 ++---
 .github/workflows/benchmark.yml | 45 +++++++++++++++++++++++++--------
 3 files changed, 40 insertions(+), 16 deletions(-)

diff --git a/.github/benchmark/benchmark.jmx b/.github/benchmark/benchmark.jmx
index 07aed73fa3..4abe3c1399 100644
--- a/.github/benchmark/benchmark.jmx
+++ b/.github/benchmark/benchmark.jmx
@@ -33,10 +33,10 @@
           <boolProp name="LoopController.continue_forever">false</boolProp>
           <stringProp name="LoopController.loops">-1</stringProp>
         </elementProp>
-        <stringProp name="ThreadGroup.num_threads">${__P(threads,256)}</stringProp>
+        <stringProp name="ThreadGroup.num_threads">${__P(threads,128)}</stringProp>
         <stringProp name="ThreadGroup.ramp_time">${__P(rampup,0)}</stringProp>
         <boolProp name="ThreadGroup.scheduler">true</boolProp>
-        <stringProp name="ThreadGroup.duration">${__P(duration,600)}</stringProp>
+        <stringProp name="ThreadGroup.duration">${__P(duration,300)}</stringProp>
         <stringProp name="ThreadGroup.delay"></stringProp>
       </ThreadGroup>
       <hashTree>
diff --git a/.github/benchmark/summary.sh b/.github/benchmark/summary.sh
index 6b5cbd8d3f..6d233b5522 100644
--- a/.github/benchmark/summary.sh
+++ b/.github/benchmark/summary.sh
@@ -115,11 +115,12 @@ echo "![Total throughput (ops/s)]($(qc 500 320 "$TP_CFG"))"
 echo ""
 
 # ---------------------------------------------------------------- Latency chart (grouped bars)
-echo "### Mean latency per operation (ms, lower is better)"
+echo "### Mean latency per operation (ms, log scale — lower is better)"
 echo ""
-echo "_🟦 OpenLDAP · 🟧 OpenDJ — grouped bars per operation._"
+echo "_🟦 OpenLDAP · 🟧 OpenDJ — grouped bars per operation. Y axis is logarithmic so the small"
+echo "values stay visible next to the large ones._"
 echo ""
-LAT_CFG="{\"type\":\"bar\",\"data\":{\"labels\":$(labels_json),\"datasets\":[{\"label\":\"OpenLDAP\",\"backgroundColor\":\"$OL_COLOR\",\"data\":[$(vals m "$OL_JSON" meanResTime)]},{\"label\":\"OpenDJ\",\"backgroundColor\":\"$DJ_COLOR\",\"data\":[$(vals m "$DJ_JSON" meanResTime)]}]},\"options\":{\"title\":{\"display\":true,\"text\":\"Mean latency per operation (ms)\"}}}"
+LAT_CFG="{\"type\":\"bar\",\"data\":{\"labels\":$(labels_json),\"datasets\":[{\"label\":\"OpenLDAP\",\"backgroundColor\":\"$OL_COLOR\",\"data\":[$(vals m "$OL_JSON" meanResTime)]},{\"label\":\"OpenDJ\",\"backgroundColor\":\"$DJ_COLOR\",\"data\":[$(vals m "$DJ_JSON" meanResTime)]}]},\"options\":{\"title\":{\"display\":true,\"text\":\"Mean latency per operation (ms, log scale)\"},\"scales\":{\"yAxes\":[{\"type\":\"logarithmic\"}]}}}"
 echo "![Mean latency per operation (ms)]($(qc 900 400 "$LAT_CFG"))"
 echo ""
 
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index d01d019f5a..9c285713b2 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -31,10 +31,10 @@ on:
         default: "openidentityplatform/opendj:latest"
       threads:
         description: "Concurrent JMeter threads"
-        default: "256"
+        default: "128"
       duration:
         description: "Test duration per server (seconds)"
-        default: "600"
+        default: "300"
       rampup:
         description: "Ramp-up period (seconds)"
         default: "0"
@@ -65,8 +65,8 @@ jobs:
       # `${{ inputs.X || 'default' }}` so workflow_run (which carries no inputs) falls back.
       OPENLDAP_IMAGE: ${{ inputs.openldap_image || 'osixia/openldap:latest' }}
       OPENDJ_IMAGE: ${{ inputs.opendj_image || 'openidentityplatform/opendj:latest' }}
-      THREADS: ${{ inputs.threads || '256' }}
-      DURATION: ${{ inputs.duration || '600' }}
+      THREADS: ${{ inputs.threads || '128' }}
+      DURATION: ${{ inputs.duration || '300' }}
       RAMPUP: ${{ inputs.rampup || '0' }}
       JMETER: ${{ inputs.jmeter_version || '5.6.3' }}
       BENCHPW: benchPass1
@@ -159,8 +159,13 @@ jobs:
             -l openldap.jtl -e -o openldap
 
       - name: Stop OpenLDAP
+        if: always()
         run: |
-          docker logs openldap 2>&1 | tail -n 100 || true
+          mkdir -p logs/openldap
+          docker logs openldap > logs/openldap/server.log 2>&1 || true
+          # osixia mostly logs to stdout (captured above); grab the in-container /var/log too.
+          docker cp openldap:/var/log logs/openldap/var-log 2>/dev/null || true
+          tail -n 100 logs/openldap/server.log || true
           docker rm -f openldap || true
 
       - name: Start OpenDJ
@@ -220,8 +225,14 @@ jobs:
             -l opendj.jtl -e -o opendj
 
       - name: Stop OpenDJ
+        if: always()
         run: |
-          docker logs opendj 2>&1 | tail -n 100 || true
+          mkdir -p logs/opendj
+          docker logs opendj > logs/opendj/server.log 2>&1 || true
+          # OpenDJ's internal log directory (errors, access, replication, server.out, ...).
+          docker cp opendj:/opt/opendj/data/logs logs/opendj/internal 2>/dev/null \
+            || docker cp opendj:/opt/opendj/logs logs/opendj/internal 2>/dev/null || true
+          tail -n 100 logs/opendj/server.log || true
           docker rm -f opendj || true
 
       # ---------------------------------------------------------------- Report
@@ -242,10 +253,22 @@ jobs:
             opendj/
             *.jtl
           if-no-files-found: warn
+          retention-days: 90
 
-      - name: Container logs + cleanup
+      - name: Upload OpenLDAP logs
         if: always()
-        run: |
-          docker logs openldap 2>&1 | tail -n 100 || true
-          docker logs opendj 2>&1 | tail -n 100 || true
-          docker rm -f openldap opendj || true
+        uses: actions/upload-artifact@v7
+        with:
+          name: logs-openldap
+          path: logs/openldap/
+          if-no-files-found: warn
+          retention-days: 90
+
+      - name: Upload OpenDJ logs
+        if: always()
+        uses: actions/upload-artifact@v7
+        with:
+          name: logs-opendj
+          path: logs/opendj/
+          if-no-files-found: warn
+          retention-days: 90

From 736c83dc1c71b19abc0554b7df10ec0dc117cc84 Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Mon, 22 Jun 2026 16:59:33 +0300
Subject: [PATCH 09/15] Benchmark: 200 threads default, p99 latency chart
 (linear)

- Raise the default concurrent thread count to 200 (was 128) in the workflow
  input and env fallback and in the JMX __P default.
- Latency chart now plots p99 instead of mean: tail latency is the more
  meaningful metric for the skewed LDAP latency distributions under load (mean
  hides the tail). The Y axis is linear (logarithmic scale removed).
---
 .github/benchmark/benchmark.jmx | 2 +-
 .github/benchmark/summary.sh    | 9 ++++-----
 .github/workflows/benchmark.yml | 4 ++--
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/.github/benchmark/benchmark.jmx b/.github/benchmark/benchmark.jmx
index 4abe3c1399..7fcd0a78d3 100644
--- a/.github/benchmark/benchmark.jmx
+++ b/.github/benchmark/benchmark.jmx
@@ -33,7 +33,7 @@
           <boolProp name="LoopController.continue_forever">false</boolProp>
           <stringProp name="LoopController.loops">-1</stringProp>
         </elementProp>
-        <stringProp name="ThreadGroup.num_threads">${__P(threads,128)}</stringProp>
+        <stringProp name="ThreadGroup.num_threads">${__P(threads,200)}</stringProp>
         <stringProp name="ThreadGroup.ramp_time">${__P(rampup,0)}</stringProp>
         <boolProp name="ThreadGroup.scheduler">true</boolProp>
         <stringProp name="ThreadGroup.duration">${__P(duration,300)}</stringProp>
diff --git a/.github/benchmark/summary.sh b/.github/benchmark/summary.sh
index 6d233b5522..dbc29a91af 100644
--- a/.github/benchmark/summary.sh
+++ b/.github/benchmark/summary.sh
@@ -115,13 +115,12 @@ echo "![Total throughput (ops/s)]($(qc 500 320 "$TP_CFG"))"
 echo ""
 
 # ---------------------------------------------------------------- Latency chart (grouped bars)
-echo "### Mean latency per operation (ms, log scale — lower is better)"
+echo "### p99 latency per operation (ms, lower is better)"
 echo ""
-echo "_🟦 OpenLDAP · 🟧 OpenDJ — grouped bars per operation. Y axis is logarithmic so the small"
-echo "values stay visible next to the large ones._"
+echo "_🟦 OpenLDAP · 🟧 OpenDJ — grouped bars per operation._"
 echo ""
-LAT_CFG="{\"type\":\"bar\",\"data\":{\"labels\":$(labels_json),\"datasets\":[{\"label\":\"OpenLDAP\",\"backgroundColor\":\"$OL_COLOR\",\"data\":[$(vals m "$OL_JSON" meanResTime)]},{\"label\":\"OpenDJ\",\"backgroundColor\":\"$DJ_COLOR\",\"data\":[$(vals m "$DJ_JSON" meanResTime)]}]},\"options\":{\"title\":{\"display\":true,\"text\":\"Mean latency per operation (ms, log scale)\"},\"scales\":{\"yAxes\":[{\"type\":\"logarithmic\"}]}}}"
-echo "![Mean latency per operation (ms)]($(qc 900 400 "$LAT_CFG"))"
+LAT_CFG="{\"type\":\"bar\",\"data\":{\"labels\":$(labels_json),\"datasets\":[{\"label\":\"OpenLDAP\",\"backgroundColor\":\"$OL_COLOR\",\"data\":[$(vals mi "$OL_JSON" pct3ResTime)]},{\"label\":\"OpenDJ\",\"backgroundColor\":\"$DJ_COLOR\",\"data\":[$(vals mi "$DJ_JSON" pct3ResTime)]}]},\"options\":{\"title\":{\"display\":true,\"text\":\"p99 latency per operation (ms)\"}}}"
+echo "![p99 latency per operation (ms)]($(qc 900 400 "$LAT_CFG"))"
 echo ""
 
 # ---------------------------------------------------------------- Caveats
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 9c285713b2..37899ec7d0 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -31,7 +31,7 @@ on:
         default: "openidentityplatform/opendj:latest"
       threads:
         description: "Concurrent JMeter threads"
-        default: "128"
+        default: "200"
       duration:
         description: "Test duration per server (seconds)"
         default: "300"
@@ -65,7 +65,7 @@ jobs:
       # `${{ inputs.X || 'default' }}` so workflow_run (which carries no inputs) falls back.
       OPENLDAP_IMAGE: ${{ inputs.openldap_image || 'osixia/openldap:latest' }}
       OPENDJ_IMAGE: ${{ inputs.opendj_image || 'openidentityplatform/opendj:latest' }}
-      THREADS: ${{ inputs.threads || '128' }}
+      THREADS: ${{ inputs.threads || '200' }}
       DURATION: ${{ inputs.duration || '300' }}
       RAMPUP: ${{ inputs.rampup || '0' }}
       JMETER: ${{ inputs.jmeter_version || '5.6.3' }}

From de3526645a13633ef6779dfb281255f9f3641fca Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Mon, 22 Jun 2026 19:18:31 +0300
Subject: [PATCH 10/15] Benchmark: migrate OpenLDAP to vegardit (2.6), hash
 with {SSHA}

Switch the OpenLDAP side from osixia/openldap (OpenLDAP 2.4.57, unmaintained) to
vegardit/docker-openldap (OpenLDAP 2.6.10).

- Adapt the setup to vegardit's interface: `LDAP_INIT_ORG_DN`,
  `LDAP_INIT_ROOT_USER_DN` (override to `cn=admin,<base>`), `LDAP_INIT_ROOT_USER_PW`,
  disable TLS/LDAPS, and neutralize the image's built-in ppolicy friction
  (lockout, pqChecker, min length) for the benchmark.
- vegardit ships no SHA-2 module, so use `{SSHA}` (Salted SHA-1) instead of
  `{SSHA256}`: it is OpenLDAP core and a built-in OpenDJ scheme, so both servers
  still hash identically. Set `olcPasswordHash {SSHA}` and enable hash-cleartext on
  vegardit's already-loaded ppolicy overlay (no module load or restart needed);
  set OpenDJ's default storage scheme to Salted SHA-1. cn=config edits go via
  EXTERNAL over ldapi as root.
- `mail` is still equality-indexed by default on vegardit (`uid,mail`), so the
  indexed SEARCH-on-mail comparison remains fair.
---
 .github/benchmark/benchmark.jmx |  2 +-
 .github/benchmark/summary.sh    |  4 +--
 .github/workflows/benchmark.yml | 53 ++++++++++++++++-----------------
 3 files changed, 29 insertions(+), 30 deletions(-)

diff --git a/.github/benchmark/benchmark.jmx b/.github/benchmark/benchmark.jmx
index 7fcd0a78d3..97aecff820 100644
--- a/.github/benchmark/benchmark.jmx
+++ b/.github/benchmark/benchmark.jmx
@@ -17,7 +17,7 @@
 <jmeterTestPlan version="1.2" properties="5.0" jmeter="5.6.3">
   <hashTree>
     <TestPlan guiclass="TestPlanGui" testclass="TestPlan" testname="OpenDJ vs OpenLDAP - LDAP benchmark" enabled="true">
-      <stringProp name="TestPlan.comments">Parametrized LDAP benchmark. Admin bind is cached once per thread (Once Only Controller, labelled ADMIN_CONNECT, excluded from metrics). Data ops (ADD/SEARCH/COMPARE/MODIFY/DELETE/READD) reuse the cached admin connection. Entries use mail as the naming/searchable attribute (equality-indexed by default on BOTH OpenDJ and OpenLDAP/osixia); no cn/sn/uid/givenName/telephoneNumber/member/uniqueMember are stored (those are indexed on OpenDJ but not osixia, which would bias the write cost). Every created value is unique: ADD uses a per-iteration counter, READD uses a UUID. The measured user authentication is a single bind/unbind (test=sbind, own connection) after MODIFY has set the userPassword.</stringProp>
+      <stringProp name="TestPlan.comments">Parametrized LDAP benchmark. Admin bind is cached once per thread (Once Only Controller, labelled ADMIN_CONNECT, excluded from metrics). Data ops (ADD/SEARCH/COMPARE/MODIFY/DELETE/READD) reuse the cached admin connection. Entries use mail as the naming/searchable attribute (equality-indexed by default on BOTH OpenDJ and OpenLDAP); only mail + objectClass (both indexed on both servers) are stored, keeping the write cost symmetric. Every created value is unique: ADD uses a per-iteration counter, READD uses a UUID. The measured user authentication is a single bind/unbind (test=sbind, own connection) after MODIFY has set the userPassword.</stringProp>
       <boolProp name="TestPlan.functional_mode">false</boolProp>
       <boolProp name="TestPlan.tearDown_on_shutdown">true</boolProp>
       <boolProp name="TestPlan.serialize_threadgroups">false</boolProp>
diff --git a/.github/benchmark/summary.sh b/.github/benchmark/summary.sh
index dbc29a91af..7608f4b308 100644
--- a/.github/benchmark/summary.sh
+++ b/.github/benchmark/summary.sh
@@ -130,6 +130,6 @@ echo "- \`BIND\` is the measured **user authentication** (\`test=sbind\`, single
 echo "  own connection) as \`cn=user_<n>,ou=People\` with the password set by \`MODIFY\`. The admin"
 echo "  connection bind (\`ADMIN_CONNECT\`) is cached once per thread and excluded from these results."
 echo "- MODIFY sends the password in cleartext; each server hashes it on write with the **same"
-echo "  scheme (SSHA-256)** — OpenLDAP via the pw-sha2 module + ppolicy hash-cleartext, OpenDJ via"
-echo "  its Salted SHA-256 default scheme — so BIND authentication is compared on equal footing."
+echo "  scheme (SSHA, Salted SHA-1)** — OpenLDAP via the ppolicy hash-cleartext overlay, OpenDJ via"
+echo "  its Salted SHA-1 default scheme — so BIND authentication is compared on equal footing."
 echo "- Full interactive JMeter HTML dashboards are attached as the \`jmeter-reports\` artifact."
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 37899ec7d0..456992294e 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -25,7 +25,7 @@ on:
     inputs:
       openldap_image:
         description: "OpenLDAP Docker image"
-        default: "osixia/openldap:latest"
+        default: "vegardit/docker-openldap:latest"
       opendj_image:
         description: "OpenDJ Docker image"
         default: "openidentityplatform/opendj:latest"
@@ -63,7 +63,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       # `${{ inputs.X || 'default' }}` so workflow_run (which carries no inputs) falls back.
-      OPENLDAP_IMAGE: ${{ inputs.openldap_image || 'osixia/openldap:latest' }}
+      OPENLDAP_IMAGE: ${{ inputs.openldap_image || 'vegardit/docker-openldap:latest' }}
       OPENDJ_IMAGE: ${{ inputs.opendj_image || 'openidentityplatform/opendj:latest' }}
       THREADS: ${{ inputs.threads || '200' }}
       DURATION: ${{ inputs.duration || '300' }}
@@ -97,13 +97,18 @@ jobs:
       - name: Start OpenLDAP
         run: |
           docker run -d --name openldap -p 2389:389 \
-            -e LDAP_ORGANISATION="Example" \
-            -e LDAP_DOMAIN="example.com" \
-            -e LDAP_ADMIN_PASSWORD="password" \
-            -e LDAP_TLS=false \
+            -e LDAP_INIT_ORG_NAME="Example" \
+            -e LDAP_INIT_ORG_DN="$BASEDN" \
+            -e LDAP_INIT_ROOT_USER_DN="cn=admin,$BASEDN" \
+            -e LDAP_INIT_ROOT_USER_PW="password" \
+            -e LDAP_TLS_ENABLED=false \
+            -e LDAP_LDAPS_ENABLED=false \
+            -e LDAP_INIT_PPOLICY_PW_MIN_LENGTH=1 \
+            -e LDAP_INIT_PPOLICY_MAX_FAILURES=0 \
+            -e LDAP_PPOLICY_PQCHECKER_RULE="0|00000000" \
             "$OPENLDAP_IMAGE"
 
-      - name: Configure OpenLDAP (SSHA-256 hash-on-write, seed)
+      - name: Configure OpenLDAP (SSHA hash-on-write, seed)
         run: |
           wait_ldap() {
             for i in $(seq 1 90); do
@@ -112,23 +117,17 @@ jobs:
               sleep 2
             done
           }
-          le() { docker exec -i openldap "$@" -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 || true; }
+          # cn=config edits via EXTERNAL over ldapi as root (-u 0).
+          le() { docker exec -u 0 -i openldap ldapmodify -Y EXTERNAL -H ldapi:/// >/dev/null 2>&1 || true; }
           wait_ldap
-          # Load pw-sha2 (provides {SSHA256}) and ppolicy (overlay) modules; osixia ships both
-          # in /usr/lib/ldap. Create the module list entry or append the values, then restart so
-          # the modules are active in the running slapd.
-          printf 'dn: cn=module{0},cn=config\nobjectClass: olcModuleList\nolcModuleLoad: pw-sha2\nolcModuleLoad: ppolicy\n' | le ldapadd
-          printf 'dn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: pw-sha2\n' | le ldapmodify
-          printf 'dn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: ppolicy\n' | le ldapmodify
-          docker restart openldap
-          wait_ldap
-          # Make slapd hash cleartext userPassword with {SSHA256} on a plain modify: set the global
-          # password-hash and enable the ppolicy overlay's hash_cleartext on the mdb database.
-          printf 'dn: olcDatabase={-1}frontend,cn=config\nchangetype: modify\nreplace: olcPasswordHash\nolcPasswordHash: {SSHA256}\n' | le ldapmodify
-          DBDN="$(docker exec openldap ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b cn=config '(olcDatabase=*mdb)' dn 2>/dev/null | sed -n 's/^dn: //p' | head -1)"
-          [ -n "$DBDN" ] || DBDN="olcDatabase={1}mdb,cn=config"
-          printf 'dn: olcOverlay=ppolicy,%s\nobjectClass: olcOverlayConfig\nobjectClass: olcPPolicyConfig\nolcOverlay: ppolicy\nolcPPolicyHashCleartext: TRUE\n' "$DBDN" | le ldapadd
-          # Seed ou=People (after the restart so it survives any re-init).
+          # This image ships no SHA-2 module, so use {SSHA} (Salted SHA-1, OpenLDAP core) — also a
+          # built-in OpenDJ scheme, so both servers hash identically. Set it as the global hash.
+          printf 'dn: olcDatabase={-1}frontend,cn=config\nchangetype: modify\nreplace: olcPasswordHash\nolcPasswordHash: {SSHA}\n' | le
+          # The image already loads the ppolicy overlay; enable hash-cleartext on it so a plain
+          # admin modify of a cleartext userPassword is hashed with {SSHA} on write.
+          PPDN="$(docker exec -u 0 openldap ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b cn=config '(olcOverlay=*ppolicy)' dn 2>/dev/null | sed -n 's/^dn: //p' | head -1)"
+          [ -z "$PPDN" ] || printf 'dn: %s\nchangetype: modify\nreplace: olcPPolicyHashCleartext\nolcPPolicyHashCleartext: TRUE\n' "$PPDN" | le
+          # Seed ou=People.
           ldapadd -x -H ldap://localhost:2389 -D "cn=admin,$BASEDN" -w password \
             -f .github/benchmark/people.ldif || true
 
@@ -163,7 +162,7 @@ jobs:
         run: |
           mkdir -p logs/openldap
           docker logs openldap > logs/openldap/server.log 2>&1 || true
-          # osixia mostly logs to stdout (captured above); grab the in-container /var/log too.
+          # slapd mostly logs to stdout (captured above); grab the in-container /var/log too.
           docker cp openldap:/var/log logs/openldap/var-log 2>/dev/null || true
           tail -n 100 logs/openldap/server.log || true
           docker rm -f openldap || true
@@ -188,12 +187,12 @@ jobs:
           ldapadd -x -H ldap://localhost:1389 -D "cn=Directory Manager" -w password \
             -f .github/benchmark/people.ldif || true
 
-      - name: Configure OpenDJ password policy (SSHA-256 hash-on-write)
+      - name: Configure OpenDJ password policy (SSHA hash-on-write)
         run: |
-          # Hash cleartext userPassword with Salted SHA-256 on write, matching OpenLDAP.
+          # Hash cleartext userPassword with Salted SHA-1 on write, matching OpenLDAP {SSHA}.
           docker exec opendj /opt/opendj/bin/dsconfig set-password-policy-prop \
             --policy-name "Default Password Policy" \
-            --set default-password-storage-scheme:"Salted SHA-256" \
+            --set default-password-storage-scheme:"Salted SHA-1" \
             --hostname localhost --port 4444 \
             --bindDN "cn=Directory Manager" --bindPassword password \
             --trustAll --no-prompt

From d7a519ff05732346ba63f18dd53285e334a6a09c Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Mon, 22 Jun 2026 19:27:39 +0300
Subject: [PATCH 11/15] Benchmark: fix OpenLDAP image name to vegardit/openldap

The Docker Hub image is published as `vegardit/openldap`, not
`vegardit/docker-openldap` (that is the GitHub repository name). The wrong name
made `docker run` fail with "pull access denied / repository does not exist".
Fix both the input default and the env fallback.
---
 .github/workflows/benchmark.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 456992294e..f64cdc7dd2 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -25,7 +25,7 @@ on:
     inputs:
       openldap_image:
         description: "OpenLDAP Docker image"
-        default: "vegardit/docker-openldap:latest"
+        default: "vegardit/openldap:latest"
       opendj_image:
         description: "OpenDJ Docker image"
         default: "openidentityplatform/opendj:latest"
@@ -63,7 +63,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       # `${{ inputs.X || 'default' }}` so workflow_run (which carries no inputs) falls back.
-      OPENLDAP_IMAGE: ${{ inputs.openldap_image || 'vegardit/docker-openldap:latest' }}
+      OPENLDAP_IMAGE: ${{ inputs.openldap_image || 'vegardit/openldap:latest' }}
       OPENDJ_IMAGE: ${{ inputs.opendj_image || 'openidentityplatform/opendj:latest' }}
       THREADS: ${{ inputs.threads || '200' }}
       DURATION: ${{ inputs.duration || '300' }}

From 5ec57539279164d5be9797a4975f2e9bdaf0263c Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Tue, 23 Jun 2026 11:44:55 +0300
Subject: [PATCH 12/15] Benchmark: make summary.sh reusable, move notes into
 the workflow

- Parametrize summary.sh: the server name, version and image are now arguments
  per server (`<name> <statistics.json> <version> <image>` x2), replacing the
  hardcoded "OpenLDAP"/"OpenDJ". The report title, tables and chart
  legends/labels are all driven by the passed names, so the script can compare
  any two LDAP servers.
- Move the benchmark-specific Notes out of the script into the workflow's
  "Build job summary" step (appended to $GITHUB_STEP_SUMMARY after the generic
  report).
---
 .github/benchmark/summary.sh    | 80 +++++++++++++++------------------
 .github/workflows/benchmark.yml | 20 +++++++--
 2 files changed, 54 insertions(+), 46 deletions(-)

diff --git a/.github/benchmark/summary.sh b/.github/benchmark/summary.sh
index 7608f4b308..992c43115e 100644
--- a/.github/benchmark/summary.sh
+++ b/.github/benchmark/summary.sh
@@ -13,23 +13,30 @@
 #
 # Copyright 2026 3A Systems, LLC.
 #
-# Render an OpenDJ-vs-OpenLDAP LDAP benchmark report (versions + comparison table +
-# comparative Mermaid charts) to stdout — intended to be appended to $GITHUB_STEP_SUMMARY.
+# Render an LDAP benchmark comparison report (versions + per-operation table + QuickChart charts)
+# for two servers A and B to stdout — intended to be appended to $GITHUB_STEP_SUMMARY. The report
+# is generic: server names, versions and images are all parameters, and benchmark-specific notes
+# are NOT included here (append them separately, e.g. `cat notes.md >> $GITHUB_STEP_SUMMARY`).
 #
 # Usage:
-#   summary.sh <openldap_statistics.json> <opendj_statistics.json> \
-#              <openldap_version> <opendj_version> [openldap_image] [opendj_image]
+#   summary.sh <A_name> <A_statistics.json> <A_version> <A_image> \
+#              <B_name> <B_statistics.json> <B_version> <B_image>
 #
 # The admin connection bind is labelled ADMIN_CONNECT in the plan and is intentionally
 # skipped here, so it never pollutes the per-operation comparison.
 set -euo pipefail
 
-OL_JSON="${1:?openldap statistics.json required}"
-DJ_JSON="${2:?opendj statistics.json required}"
-OL_VER="${3:-unknown}"
-DJ_VER="${4:-unknown}"
-OL_IMG="${5:-}"
-DJ_IMG="${6:-}"
+A_NAME="${1:?server A name required}"
+A_JSON="${2:?server A statistics.json required}"
+A_VER="${3:-unknown}"
+A_IMG="${4:-}"
+B_NAME="${5:?server B name required}"
+B_JSON="${6:?server B statistics.json required}"
+B_VER="${7:-unknown}"
+B_IMG="${8:-}"
+
+A_COLOR="#4e79a7"   # blue   = server A
+B_COLOR="#f28e2b"   # orange = server B
 
 # Operations to compare, in workflow order. ADMIN_CONNECT and Total are excluded.
 OPS=("ADD" "SEARCH" "COMPARE" "MODIFY" "BIND" "DELETE" "READD")
@@ -39,7 +46,7 @@ m() { jq -r --arg l "$2" --arg f "$3" '((.[$l][$f]) // 0) | (.*10 | round / 10)'
 # mi <file> <label> <field> -> integer value (0 if absent).
 mi() { jq -r --arg l "$2" --arg f "$3" '((.[$l][$f]) // 0) | round' "$1"; }
 
-echo "## 🔬 Benchmark: OpenDJ vs OpenLDAP"
+echo "## 🔬 Benchmark: ${A_NAME} vs ${B_NAME}"
 echo ""
 
 # ---------------------------------------------------------------- Versions
@@ -47,47 +54,45 @@ echo "### Versions"
 echo ""
 echo "| Server | Version | Image |"
 echo "|---|---|---|"
-echo "| **OpenLDAP** | \`${OL_VER}\` | \`${OL_IMG:-n/a}\` |"
-echo "| **OpenDJ** | \`${DJ_VER}\` | \`${DJ_IMG:-n/a}\` |"
+echo "| **${A_NAME}** | \`${A_VER}\` | \`${A_IMG:-n/a}\` |"
+echo "| **${B_NAME}** | \`${B_VER}\` | \`${B_IMG:-n/a}\` |"
 echo ""
 
 # ---------------------------------------------------------------- Totals
-ol_tot_tp=$(m  "$OL_JSON" Total throughput)
-dj_tot_tp=$(m  "$DJ_JSON" Total throughput)
-ol_tot_n=$(mi  "$OL_JSON" Total sampleCount)
-dj_tot_n=$(mi  "$DJ_JSON" Total sampleCount)
-ol_tot_e=$(mi  "$OL_JSON" Total errorCount)
-dj_tot_e=$(mi  "$DJ_JSON" Total errorCount)
-ol_tot_mean=$(m "$OL_JSON" Total meanResTime)
-dj_tot_mean=$(m "$DJ_JSON" Total meanResTime)
+a_tot_tp=$(m  "$A_JSON" Total throughput)
+b_tot_tp=$(m  "$B_JSON" Total throughput)
+a_tot_n=$(mi  "$A_JSON" Total sampleCount)
+b_tot_n=$(mi  "$B_JSON" Total sampleCount)
+a_tot_e=$(mi  "$A_JSON" Total errorCount)
+b_tot_e=$(mi  "$B_JSON" Total errorCount)
+a_tot_mean=$(m "$A_JSON" Total meanResTime)
+b_tot_mean=$(m "$B_JSON" Total meanResTime)
 
 echo "### Totals (all operations, ADMIN_CONNECT excluded by the plan label)"
 echo ""
 echo "| Server | Throughput (ops/s) | Mean (ms) | Samples | Errors |"
 echo "|---|--:|--:|--:|--:|"
-echo "| **OpenLDAP** | ${ol_tot_tp} | ${ol_tot_mean} | ${ol_tot_n} | ${ol_tot_e} |"
-echo "| **OpenDJ** | ${dj_tot_tp} | ${dj_tot_mean} | ${dj_tot_n} | ${dj_tot_e} |"
+echo "| **${A_NAME}** | ${a_tot_tp} | ${a_tot_mean} | ${a_tot_n} | ${a_tot_e} |"
+echo "| **${B_NAME}** | ${b_tot_tp} | ${b_tot_mean} | ${b_tot_n} | ${b_tot_e} |"
 echo ""
 
 # ---------------------------------------------------------------- Per-op table
 echo "### Per-operation latency"
 echo ""
-echo "| Operation | mean ms OpenLDAP | mean ms OpenDJ | p99 ms OpenLDAP | p99 ms OpenDJ | err OL | err DJ |"
+echo "| Operation | mean ms ${A_NAME} | mean ms ${B_NAME} | p99 ms ${A_NAME} | p99 ms ${B_NAME} | err ${A_NAME} | err ${B_NAME} |"
 echo "|---|--:|--:|--:|--:|--:|--:|"
 for op in "${OPS[@]}"; do
   printf '| %s | %s | %s | %s | %s | %s | %s |\n' \
     "$op" \
-    "$(m  "$OL_JSON" "$op" meanResTime)"  "$(m  "$DJ_JSON" "$op" meanResTime)" \
-    "$(mi "$OL_JSON" "$op" pct3ResTime)"  "$(mi "$DJ_JSON" "$op" pct3ResTime)" \
-    "$(mi "$OL_JSON" "$op" errorCount)"   "$(mi "$DJ_JSON" "$op" errorCount)"
+    "$(m  "$A_JSON" "$op" meanResTime)"  "$(m  "$B_JSON" "$op" meanResTime)" \
+    "$(mi "$A_JSON" "$op" pct3ResTime)"  "$(mi "$B_JSON" "$op" pct3ResTime)" \
+    "$(mi "$A_JSON" "$op" errorCount)"   "$(mi "$B_JSON" "$op" errorCount)"
 done
 echo ""
 
 # ---------------------------------------------------------------- Chart helpers (QuickChart)
 # Mermaid xychart-beta can't do grouped bars / a legend and crowds 14 x-labels, so render proper
 # grouped bar charts via QuickChart (Chart.js) as images: https://quickchart.io/chart?c=<config>.
-OL_COLOR="#4e79a7"   # blue   = OpenLDAP
-DJ_COLOR="#f28e2b"   # orange = OpenDJ
 
 # JSON array of the OPS labels: ["ADD","SEARCH",...].
 labels_json() {
@@ -110,26 +115,15 @@ echo ""
 echo "_Per-operation throughput is not charted: every op runs once per loop iteration, so each"
 echo "op's throughput just equals the loop rate. The meaningful throughput is the aggregate._"
 echo ""
-TP_CFG="{\"type\":\"bar\",\"data\":{\"labels\":[\"OpenLDAP\",\"OpenDJ\"],\"datasets\":[{\"label\":\"ops/s\",\"backgroundColor\":[\"$OL_COLOR\",\"$DJ_COLOR\"],\"data\":[${ol_tot_tp},${dj_tot_tp}]}]},\"options\":{\"legend\":{\"display\":false},\"title\":{\"display\":true,\"text\":\"Total throughput (ops/s)\"}}}"
+TP_CFG="{\"type\":\"bar\",\"data\":{\"labels\":[\"${A_NAME}\",\"${B_NAME}\"],\"datasets\":[{\"label\":\"ops/s\",\"backgroundColor\":[\"$A_COLOR\",\"$B_COLOR\"],\"data\":[${a_tot_tp},${b_tot_tp}]}]},\"options\":{\"legend\":{\"display\":false},\"title\":{\"display\":true,\"text\":\"Total throughput (ops/s)\"}}}"
 echo "![Total throughput (ops/s)]($(qc 500 320 "$TP_CFG"))"
 echo ""
 
 # ---------------------------------------------------------------- Latency chart (grouped bars)
 echo "### p99 latency per operation (ms, lower is better)"
 echo ""
-echo "_🟦 OpenLDAP · 🟧 OpenDJ — grouped bars per operation._"
+echo "_🟦 ${A_NAME} · 🟧 ${B_NAME} — grouped bars per operation._"
 echo ""
-LAT_CFG="{\"type\":\"bar\",\"data\":{\"labels\":$(labels_json),\"datasets\":[{\"label\":\"OpenLDAP\",\"backgroundColor\":\"$OL_COLOR\",\"data\":[$(vals mi "$OL_JSON" pct3ResTime)]},{\"label\":\"OpenDJ\",\"backgroundColor\":\"$DJ_COLOR\",\"data\":[$(vals mi "$DJ_JSON" pct3ResTime)]}]},\"options\":{\"title\":{\"display\":true,\"text\":\"p99 latency per operation (ms)\"}}}"
+LAT_CFG="{\"type\":\"bar\",\"data\":{\"labels\":$(labels_json),\"datasets\":[{\"label\":\"${A_NAME}\",\"backgroundColor\":\"$A_COLOR\",\"data\":[$(vals mi "$A_JSON" pct3ResTime)]},{\"label\":\"${B_NAME}\",\"backgroundColor\":\"$B_COLOR\",\"data\":[$(vals mi "$B_JSON" pct3ResTime)]}]},\"options\":{\"title\":{\"display\":true,\"text\":\"p99 latency per operation (ms)\"}}}"
 echo "![p99 latency per operation (ms)]($(qc 900 400 "$LAT_CFG"))"
 echo ""
-
-# ---------------------------------------------------------------- Caveats
-echo "### Notes"
-echo ""
-echo "- \`BIND\` is the measured **user authentication** (\`test=sbind\`, single bind/unbind on its"
-echo "  own connection) as \`cn=user_<n>,ou=People\` with the password set by \`MODIFY\`. The admin"
-echo "  connection bind (\`ADMIN_CONNECT\`) is cached once per thread and excluded from these results."
-echo "- MODIFY sends the password in cleartext; each server hashes it on write with the **same"
-echo "  scheme (SSHA, Salted SHA-1)** — OpenLDAP via the ppolicy hash-cleartext overlay, OpenDJ via"
-echo "  its Salted SHA-1 default scheme — so BIND authentication is compared on equal footing."
-echo "- Full interactive JMeter HTML dashboards are attached as the \`jmeter-reports\` artifact."
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index f64cdc7dd2..4a27339093 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -237,10 +237,24 @@ jobs:
       # ---------------------------------------------------------------- Report
       - name: Build job summary
         run: |
+          # summary.sh is generic: <name> <statistics.json> <version> <image> per server.
           bash .github/benchmark/summary.sh \
-            openldap/statistics.json opendj/statistics.json \
-            "$OPENLDAP_VER" "$OPENDJ_VER" \
-            "$OPENLDAP_IMAGE" "$OPENDJ_IMAGE" >> "$GITHUB_STEP_SUMMARY"
+            "OpenLDAP" openldap/statistics.json "$OPENLDAP_VER" "$OPENLDAP_IMAGE" \
+            "OpenDJ"   opendj/statistics.json   "$OPENDJ_VER"   "$OPENDJ_IMAGE" \
+            >> "$GITHUB_STEP_SUMMARY"
+          # benchmark-specific notes (kept out of the reusable script)
+          {
+            echo ""
+            echo "### Notes"
+            echo ""
+            echo '- `BIND` is the measured **user authentication** (`test=sbind`, single bind/unbind on its'
+            echo '  own connection) as `mail=u_<n>,ou=People` with the password set by `MODIFY`. The admin'
+            echo '  connection bind (`ADMIN_CONNECT`) is cached once per thread and excluded from these results.'
+            echo '- `MODIFY` sends the password in cleartext; each server hashes it on write with the **same'
+            echo '  scheme (`{SSHA}`, Salted SHA-1)** — OpenLDAP via the ppolicy hash-cleartext overlay, OpenDJ'
+            echo '  via its Salted SHA-1 default scheme — so `BIND` authentication is compared on equal footing.'
+            echo '- Full interactive JMeter HTML dashboards are attached as the `jmeter-reports` artifact.'
+          } >> "$GITHUB_STEP_SUMMARY"
 
       - name: Upload JMeter reports
         if: always()

From 2a450ca1dac4afb30975c0c3e854bae283b3ca70 Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Tue, 23 Jun 2026 12:39:07 +0300
Subject: [PATCH 13/15] build.yml: benchmark the built image against the
 released one

Add a "Build vs Release" benchmark to the build-docker and build-docker-alpine
jobs: run the LDAP benchmark against the freshly built image and the latest
released image, and publish the comparison in the job summary to catch
performance regressions per push/PR (200 threads / 150s).

- New reusable helper .github/benchmark/compare-opendj.sh runs benchmark.jmx
  against two OpenDJ images sequentially (one container at a time on port 1389:
  start, seed ou=People, capture version, run, stop) and renders the comparison
  via the generic summary.sh. Both sides are OpenDJ, so no per-server
  hashing/index setup is needed (identical default password scheme).
- Each job gets a sparse `actions/checkout` of .github/benchmark (these jobs have
  no checkout and the build artifact does not include those files) plus a JMeter
  cache. build-docker compares localhost:5000/<repo>:<release_version> ("Build")
  vs openidentityplatform/opendj:latest ("Release"); build-docker-alpine compares
  the corresponding -alpine / :alpine tags.
---
 .github/benchmark/compare-opendj.sh | 102 ++++++++++++++++++++++++++++
 .github/workflows/build.yml         |  28 ++++++++
 2 files changed, 130 insertions(+)
 create mode 100644 .github/benchmark/compare-opendj.sh

diff --git a/.github/benchmark/compare-opendj.sh b/.github/benchmark/compare-opendj.sh
new file mode 100644
index 0000000000..55fd033a18
--- /dev/null
+++ b/.github/benchmark/compare-opendj.sh
@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+# The contents of this file are subject to the terms of the Common Development and
+# Distribution License (the License). You may not use this file except in compliance with the
+# License.
+#
+# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+# specific language governing permission and limitations under the License.
+#
+# When distributing Covered Software, include this CDDL Header Notice in each file and include
+# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+# Header, with the fields enclosed by brackets [] replaced by your own identifying
+# information: "Portions copyright [year] [name of copyright owner]".
+#
+# Copyright 2026 3A Systems, LLC.
+#
+# Compare two OpenDJ Docker images with the LDAP benchmark (.github/benchmark/benchmark.jmx) and
+# append the comparison report to $GITHUB_STEP_SUMMARY. Both sides are OpenDJ, so no per-server
+# hashing/index setup is needed (identical product => identical default password scheme).
+#
+# Usage:
+#   compare-opendj.sh <A_name> <A_image> <B_name> <B_image>
+# Env: THREADS (default 200), DURATION (default 150), JMETER_VERSION (default 5.6.3).
+set -euo pipefail
+
+A_NAME="${1:?server A name required}"
+A_IMAGE="${2:?server A image required}"
+B_NAME="${3:?server B name required}"
+B_IMAGE="${4:?server B image required}"
+
+THREADS="${THREADS:-200}"
+DURATION="${DURATION:-150}"
+JMETER_VERSION="${JMETER_VERSION:-5.6.3}"
+BASEDN="dc=example,dc=com"
+BENCHPW="benchPass1"
+HERE="$(cd "$(dirname "$0")" && pwd)"   # .github/benchmark
+
+# ---------------------------------------------------------------- dependencies
+if ! command -v ldapsearch >/dev/null 2>&1 || ! command -v jq >/dev/null 2>&1; then
+  sudo apt-get update -qq
+  sudo apt-get install -y -qq ldap-utils jq
+fi
+JM="$HOME/jmeter/apache-jmeter-$JMETER_VERSION/bin/jmeter"
+if [ ! -x "$JM" ]; then
+  mkdir -p "$HOME/jmeter"
+  curl -fsSL "https://archive.apache.org/dist/jmeter/binaries/apache-jmeter-$JMETER_VERSION.tgz" -o /tmp/jmeter.tgz
+  tar -xzf /tmp/jmeter.tgz -C "$HOME/jmeter"
+fi
+
+wait_dj() {  # poll OpenDJ readiness on localhost:1389
+  for _ in $(seq 1 90); do
+    ldapsearch -x -H ldap://localhost:1389 -D "cn=Directory Manager" -w password \
+      -b "$BASEDN" -s base dn >/dev/null 2>&1 && return 0
+    sleep 2
+  done
+  return 1
+}
+
+# bench_one <image> <out-slug>  -> prints the captured server version (stdout only)
+bench_one() {
+  local image="$1" out="$2" ver=""
+  docker rm -f opendj-bench >/dev/null 2>&1 || true
+  if docker run -d --name opendj-bench -p 1389:1389 \
+       -e ROOT_PASSWORD=password -e BASE_DN="$BASEDN" -e ADD_BASE_ENTRY=--addBaseEntry \
+       "$image" >/dev/null 2>&1; then
+    wait_dj || echo "WARN: $image not ready in time" >&2
+    ldapadd -x -H ldap://localhost:1389 -D "cn=Directory Manager" -w password \
+      -f "$HERE/people.ldif" >/dev/null 2>&1 || true
+    ver="$( { ldapsearch -x -LLL -H ldap://localhost:1389 -D 'cn=Directory Manager' -w password \
+              -b '' -s base fullVendorVersion 2>/dev/null || true; } | sed -n 's/^fullVendorVersion: //p')"
+    rm -rf "$out" "$out.jtl"
+    HEAP="-Xms1g -Xmx2g" "$JM" -n -t "$HERE/benchmark.jmx" \
+      -Jhost=localhost -Jport=1389 -Jbasedn="$BASEDN" \
+      -Jadminbinddn="cn=Directory Manager" -Jadminbindpw=password -Jbenchpw="$BENCHPW" \
+      -Jthreads="$THREADS" -Jduration="$DURATION" -Jrampup=0 \
+      -Jjmeter.reportgenerator.sample_filter='^(?!ADMIN_CONNECT).*' \
+      -l "$out.jtl" -e -o "$out" >/dev/null 2>&1 || true
+    docker logs opendj-bench > "$out.docker.log" 2>&1 || true
+  else
+    echo "ERROR: failed to start image $image" >&2
+  fi
+  docker rm -f opendj-bench >/dev/null 2>&1 || true
+  [ -n "$ver" ] || ver="$image"
+  printf '%s' "$ver"
+}
+
+echo "Benchmarking ${A_NAME} (${A_IMAGE}) @ ${THREADS} threads / ${DURATION}s ..."
+A_VER="$(bench_one "$A_IMAGE" a)"
+echo "Benchmarking ${B_NAME} (${B_IMAGE}) @ ${THREADS} threads / ${DURATION}s ..."
+B_VER="$(bench_one "$B_IMAGE" b)"
+
+{
+  bash "$HERE/summary.sh" \
+    "$A_NAME" a/statistics.json "$A_VER" "$A_IMAGE" \
+    "$B_NAME" b/statistics.json "$B_VER" "$B_IMAGE"
+  echo ""
+  echo "### Notes"
+  echo ""
+  echo "- **${A_NAME}** = freshly built image; **${B_NAME}** = latest released image. Both are"
+  echo "  OpenDJ, so they share the same default password storage scheme (hashing parity is automatic)."
+  echo "- The admin connection bind (\`ADMIN_CONNECT\`) is cached per thread and excluded; \`BIND\` is"
+  echo "  the measured user authentication (\`test=sbind\`, single bind/unbind)."
+} >> "${GITHUB_STEP_SUMMARY:-/dev/stdout}"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 58927fe9e8..2a88ece19e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -308,6 +308,9 @@ jobs:
         ports:
           - 5000:5000
     steps:
+      - uses: actions/checkout@v6
+        with:
+          sparse-checkout: .github/benchmark
       - name: Download artifacts
         uses: actions/download-artifact@v8
         with:
@@ -369,6 +372,17 @@ jobs:
           timeout 3m bash -c 'until docker inspect --format="{{json .State.Health.Status}}" test_custom | grep -q \"healthy\"; do sleep 10; done'
           docker exec test_custom 'sh' '-c' '/opt/opendj/bin/ldapsearch --hostname localhost --port 1636 --bindDN "cn=Directory Manager" --bindPassword custom_password --useSsl --trustAll --baseDN "dc=example,dc=com" --searchScope base "(objectClass=*)" 1.1'
           docker kill test_custom
+      - name: Cache JMeter
+        uses: actions/cache@v5
+        with:
+          path: ~/jmeter
+          key: jmeter-5.6.3
+      - name: Benchmark Build vs Release
+        shell: bash
+        run: |
+          THREADS=200 DURATION=150 bash .github/benchmark/compare-opendj.sh \
+            "Build"   localhost:5000/${GITHUB_REPOSITORY,,}:${{ env.release_version }} \
+            "Release" openidentityplatform/opendj:latest
 
   build-docker-alpine:
     needs: build-maven
@@ -379,6 +393,9 @@ jobs:
         ports:
           - 5000:5000
     steps:
+      - uses: actions/checkout@v6
+        with:
+          sparse-checkout: .github/benchmark
       - name: Download artifacts
         uses: actions/download-artifact@v8
         with:
@@ -441,3 +458,14 @@ jobs:
           timeout 3m bash -c 'until docker inspect --format="{{json .State.Health.Status}}" test_custom | grep -q \"healthy\"; do sleep 10; done'
           docker exec test_custom 'sh' '-c' '/opt/opendj/bin/ldapsearch --hostname localhost --port 1636 --bindDN "cn=Directory Manager" --bindPassword custom_password --useSsl --trustAll --baseDN "dc=example,dc=com" --searchScope base "(objectClass=*)" 1.1'
           docker kill test_custom
+      - name: Cache JMeter
+        uses: actions/cache@v5
+        with:
+          path: ~/jmeter
+          key: jmeter-5.6.3
+      - name: Benchmark Build-alpine vs Release-alpine
+        shell: bash
+        run: |
+          THREADS=200 DURATION=150 bash .github/benchmark/compare-opendj.sh \
+            "Build-alpine"   localhost:5000/${GITHUB_REPOSITORY,,}:${{ env.release_version }}-alpine \
+            "Release-alpine" openidentityplatform/opendj:alpine

From 108ee92cece68614ba997e11756e01fb35346117 Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Wed, 24 Jun 2026 15:22:30 +0300
Subject: [PATCH 14/15] Benchmark: label throughput as tests/s and flip the
 throughput chart
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Rename the throughput unit from "ops/s" to "tests/s" in the Totals table
  column, the throughput section heading, and the chart title/dataset label/alt
  text (per-operation latency stays in ms). The value is unchanged — it is still
  the JMeter Total throughput (total samples/sec), just relabeled.
- Flip the Total throughput chart to a horizontal bar chart (type:horizontalBar),
  so the two servers sit on the vertical axis and throughput runs along the
  horizontal axis; widen it to suit horizontal bars.
---
 .github/benchmark/summary.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/benchmark/summary.sh b/.github/benchmark/summary.sh
index 992c43115e..b2b59f95b7 100644
--- a/.github/benchmark/summary.sh
+++ b/.github/benchmark/summary.sh
@@ -70,7 +70,7 @@ b_tot_mean=$(m "$B_JSON" Total meanResTime)
 
 echo "### Totals (all operations, ADMIN_CONNECT excluded by the plan label)"
 echo ""
-echo "| Server | Throughput (ops/s) | Mean (ms) | Samples | Errors |"
+echo "| Server | Throughput (tests/s) | Mean (ms) | Samples | Errors |"
 echo "|---|--:|--:|--:|--:|"
 echo "| **${A_NAME}** | ${a_tot_tp} | ${a_tot_mean} | ${a_tot_n} | ${a_tot_e} |"
 echo "| **${B_NAME}** | ${b_tot_tp} | ${b_tot_mean} | ${b_tot_n} | ${b_tot_e} |"
@@ -110,13 +110,13 @@ urienc() { jq -rn --arg s "$1" '$s|@uri'; }                       # URL-encode t
 qc() { printf 'https://quickchart.io/chart?w=%s&h=%s&c=%s' "$1" "$2" "$(urienc "$3")"; }
 
 # ---------------------------------------------------------------- Total throughput chart
-echo "### Total throughput (ops/s, higher is better)"
+echo "### Total throughput (tests/s, higher is better)"
 echo ""
 echo "_Per-operation throughput is not charted: every op runs once per loop iteration, so each"
 echo "op's throughput just equals the loop rate. The meaningful throughput is the aggregate._"
 echo ""
-TP_CFG="{\"type\":\"bar\",\"data\":{\"labels\":[\"${A_NAME}\",\"${B_NAME}\"],\"datasets\":[{\"label\":\"ops/s\",\"backgroundColor\":[\"$A_COLOR\",\"$B_COLOR\"],\"data\":[${a_tot_tp},${b_tot_tp}]}]},\"options\":{\"legend\":{\"display\":false},\"title\":{\"display\":true,\"text\":\"Total throughput (ops/s)\"}}}"
-echo "![Total throughput (ops/s)]($(qc 500 320 "$TP_CFG"))"
+TP_CFG="{\"type\":\"horizontalBar\",\"data\":{\"labels\":[\"${A_NAME}\",\"${B_NAME}\"],\"datasets\":[{\"label\":\"tests/s\",\"backgroundColor\":[\"$A_COLOR\",\"$B_COLOR\"],\"data\":[${a_tot_tp},${b_tot_tp}]}]},\"options\":{\"legend\":{\"display\":false},\"title\":{\"display\":true,\"text\":\"Total throughput (tests/s)\"}}}"
+echo "![Total throughput (tests/s)]($(qc 700 280 "$TP_CFG"))"
 echo ""
 
 # ---------------------------------------------------------------- Latency chart (grouped bars)

From 8b0cb43f7a6bf6c6082718da66127c357cef1ff8 Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Wed, 24 Jun 2026 19:13:01 +0300
Subject: [PATCH 15/15] Benchmark: capture errors/artifacts in build.yml,
 revert throughput chart

- build.yml: upload the build-vs-release benchmark outputs (JMeter HTML reports,
  *.jtl, docker logs, *.jmeter.out) as artifacts with `if: always()` and 90-day
  retention in both build-docker and build-docker-alpine, so benchmark failures
  are diagnosable from the run.
- compare-opendj.sh: stop discarding JMeter output (write it to <slug>.jmeter.out)
  and print a per-image error breakdown (count | op | code | message) parsed from
  the .jtl to the step log.
- summary.sh: revert the Total throughput chart back to vertical bars (keep the
  tests/s label).
---
 .github/benchmark/compare-opendj.sh | 10 +++++++++-
 .github/benchmark/summary.sh        |  4 ++--
 .github/workflows/build.yml         | 26 ++++++++++++++++++++++++++
 3 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/.github/benchmark/compare-opendj.sh b/.github/benchmark/compare-opendj.sh
index 55fd033a18..1825921229 100644
--- a/.github/benchmark/compare-opendj.sh
+++ b/.github/benchmark/compare-opendj.sh
@@ -73,8 +73,16 @@ bench_one() {
       -Jadminbinddn="cn=Directory Manager" -Jadminbindpw=password -Jbenchpw="$BENCHPW" \
       -Jthreads="$THREADS" -Jduration="$DURATION" -Jrampup=0 \
       -Jjmeter.reportgenerator.sample_filter='^(?!ADMIN_CONNECT).*' \
-      -l "$out.jtl" -e -o "$out" >/dev/null 2>&1 || true
+      -l "$out.jtl" -e -o "$out" > "$out.jmeter.out" 2>&1 || true
     docker logs opendj-bench > "$out.docker.log" 2>&1 || true
+    # surface distinct error messages to the step log (stderr; stdout carries the version)
+    if [ -f "$out.jtl" ]; then
+      local errs
+      errs="$(awk -F',' 'NR==1{for(i=1;i<=NF;i++)h[$i]=i; next}
+                         tolower($h["success"])=="false"{print $h["label"]" | "$h["responseCode"]" | "$h["responseMessage"]}' \
+              "$out.jtl" 2>/dev/null | sort | uniq -c | sort -rn | head -10)"
+      [ -z "$errs" ] || { echo "[$out] errors (count | op | code | message):" >&2; echo "$errs" >&2; }
+    fi
   else
     echo "ERROR: failed to start image $image" >&2
   fi
diff --git a/.github/benchmark/summary.sh b/.github/benchmark/summary.sh
index b2b59f95b7..9ea5ce4fb1 100644
--- a/.github/benchmark/summary.sh
+++ b/.github/benchmark/summary.sh
@@ -115,8 +115,8 @@ echo ""
 echo "_Per-operation throughput is not charted: every op runs once per loop iteration, so each"
 echo "op's throughput just equals the loop rate. The meaningful throughput is the aggregate._"
 echo ""
-TP_CFG="{\"type\":\"horizontalBar\",\"data\":{\"labels\":[\"${A_NAME}\",\"${B_NAME}\"],\"datasets\":[{\"label\":\"tests/s\",\"backgroundColor\":[\"$A_COLOR\",\"$B_COLOR\"],\"data\":[${a_tot_tp},${b_tot_tp}]}]},\"options\":{\"legend\":{\"display\":false},\"title\":{\"display\":true,\"text\":\"Total throughput (tests/s)\"}}}"
-echo "![Total throughput (tests/s)]($(qc 700 280 "$TP_CFG"))"
+TP_CFG="{\"type\":\"bar\",\"data\":{\"labels\":[\"${A_NAME}\",\"${B_NAME}\"],\"datasets\":[{\"label\":\"tests/s\",\"backgroundColor\":[\"$A_COLOR\",\"$B_COLOR\"],\"data\":[${a_tot_tp},${b_tot_tp}]}]},\"options\":{\"legend\":{\"display\":false},\"title\":{\"display\":true,\"text\":\"Total throughput (tests/s)\"}}}"
+echo "![Total throughput (tests/s)]($(qc 500 320 "$TP_CFG"))"
 echo ""
 
 # ---------------------------------------------------------------- Latency chart (grouped bars)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2a88ece19e..6e4bb7d5b1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -383,6 +383,19 @@ jobs:
           THREADS=200 DURATION=150 bash .github/benchmark/compare-opendj.sh \
             "Build"   localhost:5000/${GITHUB_REPOSITORY,,}:${{ env.release_version }} \
             "Release" openidentityplatform/opendj:latest
+      - name: Upload benchmark artifacts
+        if: always()
+        uses: actions/upload-artifact@v7
+        with:
+          name: benchmark-build-vs-release
+          path: |
+            a/
+            b/
+            *.jtl
+            *.docker.log
+            *.jmeter.out
+          if-no-files-found: warn
+          retention-days: 3
 
   build-docker-alpine:
     needs: build-maven
@@ -469,3 +482,16 @@ jobs:
           THREADS=200 DURATION=150 bash .github/benchmark/compare-opendj.sh \
             "Build-alpine"   localhost:5000/${GITHUB_REPOSITORY,,}:${{ env.release_version }}-alpine \
             "Release-alpine" openidentityplatform/opendj:alpine
+      - name: Upload benchmark artifacts
+        if: always()
+        uses: actions/upload-artifact@v7
+        with:
+          name: benchmark-build-vs-release-alpine
+          path: |
+            a/
+            b/
+            *.jtl
+            *.docker.log
+            *.jmeter.out
+          if-no-files-found: warn
+          retention-days: 90