Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 7. Adjusting IdM Directory Server performance

You can tune the performance of Identity Management’s databases by adjusting LDAP attributes controlling the Directory Server’s resources and behavior.

You can fine-tune the following:

  • Adjust how the Directory Server caches data.
  • Adjust the Directory Server’s resource limits.
  • Adjust timeouts that have the most influence on performance.
  • Install an IdM server or replica with custom Directory Server settings from an LDIF file.

You can adjust the entry cache size to optimize memory usage for the IdM Directory Server when default auto-sizing does not meet your deployment requirements.

Important

Do not change this settings, unless you have a strong need to apply your custom values. IdM Directory Server uses the built-in cache auto-sizing feature for optimized performance.

The nsslapd-cachememsize attribute specifies the size, in bytes, for the available memory space for the entry cache. This attribute is one of the most important values for controlling how much physical RAM the Directory Server uses.

If the entry cache size is too small, you might see the following error in the Directory Server error logs in the /var/log/dirsrv/slapd-<instance_name>/errors log file: 

REASON: entry too large (83886080 bytes) for the import buffer size (67108864 bytes).  Try increasing nsslapd-cachememsize.

Red Hat recommends fitting the entry cache and the database index entry cache in memory.

Expand
Table 7.1. nsslapd-cachememsize attribute values

Default value

209715200 (200 MiB)

Valid range

500000 - 18446744073709551615 (500 kB - (264-1))

Entry DN location

cn=<database_name>,cn=ldbm database,cn=plugins,cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Disable automatic cache tuning. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend config set --cache-autosize=0

  2. Display the database suffixes and their corresponding back ends. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend suffix list
cn=changelog (changelog)
dc=example,dc=com (userroot)
o=ipaca (ipaca)

    This command displays the name of the back end database next to each suffix. Use the suffix’s database name in the next step.

  3. Set the entry cache size for the database. This example sets the entry cache for the userroot database to 2 gigabytes. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend suffix set --cache-memsize=2147483648 userroot

  4. Restart the Directory Server. 

    [root@server ~]# systemctl restart dirsrv.target
  5. Monitor the IdM Directory Server’s performance. If it does not improve, repeat this procedure and adjust cache-memsize to a different value, or re-enable cache auto-sizing.

Verification

  • Display the value of the nsslapd-cachememsize attribute and verify it has been set to your desired value. 

    [root@server ~]# ldapsearch -D "cn=Directory Manager" -w <directory_manager_password> -b "cn=userroot,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-cachememsize
nsslapd-cachememsize: 2147483648

You can adjust the database index cache size to improve search performance when the IdM Directory Server has available RAM beyond the entry cache allocation.

Important

Do not change this settings, unless you have a strong need to apply your custom values. IdM Directory Server uses the built-in cache auto-sizing feature for optimized performance.

The nsslapd-dbcachesize attribute controls the amount of memory the database indexes use. This cache size has less of an impact on Directory Server performance than the entry cache size does, but if there is available RAM after the entry cache size is set, Red Hat recommends increasing the amount of memory allocated to the database cache.

The database cache is limited to 1.5 GB RAM because higher values do not improve performance.

Expand
Table 7.2. nsslapd-dbcachesize attribute values

Default value

10000000 (10 MB)

Valid range

500000 - 1610611911 (500 kB - 1.5GB)

Entry DN location

cn=config,cn=ldbm database,cn=plugins,cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Disable automatic cache tuning, and set the database cache size. This example sets the database cache to 256 megabytes. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend config set --cache-autosize=0 --dbcachesize=268435456

  2. Restart the Directory Server. 

    [root@server ~]# systemctl restart dirsrv.target
  3. Monitor the IdM Directory Server’s performance. If it does not improve, repeat this procedure and adjust dbcachesize to a different value, or re-enable cache auto-sizing.

Verification

  • Display the value of the nsslapd-dbcachesize attribute and verify it has been set to your desired value. 

    [root@server ~]# ldapsearch -D "cn=Directory Manager" -w <directory_manager_password> -b "cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-dbcachesize
nsslapd-dbcachesize: 2147483648

You can restore the default cache auto-sizing settings to let the IdM Directory Server automatically optimize cache sizes based on available hardware resources.

Important

Use the built-in cache auto-sizing feature for optimized performance. Do not set cache sizes manually.

By default, the IdM Directory Server automatically determines the optimal size for the database cache and entry cache. Auto-sizing sets aside a portion of free RAM and optimizes the size of both caches based on the hardware resources of the server when the instance starts.

Use this procedure to undo custom database cache and entry cache values and restore the cache auto-sizing feature to its default values.

Expand
Table 7.3. nsslapd-cache-autosize attribute values

nsslapd-cache-autosize

This settings controls how much free RAM is allocated for auto-sizing the database and entry caches. A value of 0 disables auto-sizing.

Default value

10 (10% of free RAM)

Valid range

0 - 100

Entry DN location

cn=config,cn=ldbm database,cn=plugins,cn=config

Expand
Table 7.4. nsslapd-cache-autosize-split attribute values

nsslapd-cache-autosize-split

This value sets the percentage of free memory determined by nsslapd-cache-autosize that is used for the database cache. The remaining percentage is used for the entry cache.

Default value

25 (25% for the database cache, 60% for the entry cache)

Valid range

0 - 100

Entry DN location

cn=config,cn=ldbm database,cn=plugins,cn=config

Prerequisites

  • You have previously disabled database and entry cache auto-tuning.

Procedure

  1. Stop the Directory Server instance. 

    [root@server ~]# systemctl stop dirsrv.target

  2. Backup the /etc/dirsrv/slapd-<instance_name>/dse.ldif file before making any further modifications. 

    [root@server ~]# cp /etc/dirsrv/slapd-<instance_name>/dse.ldif \ /etc/dirsrv/slapd-<instance_name>/dse.ldif.bak.$(date "+%F_%H-%M-%S")

  3. Edit the /etc/dirsrv/slapd-<instance_name>/dse.ldif file:

    1. Set the percentage of free system RAM to use for the database and entry caches back to the default of 10% of free RAM. 

      nsslapd-cache-autosize: 10

    2. Set the percentage used from the free system RAM for the database cache to the default of 25%: 

      nsslapd-cache-autosize-split: 25
  4. Save your changes to the /etc/dirsrv/slapd-<instance_name>/dse.ldif file.

  5. Start the Directory Server. 

    [root@server ~]# systemctl start dirsrv.target

Verification

  • Display the values of the nsslapd-cache-autosize and nsslapd-cache-autosize-split attributes and verify they have been set to your desired values. 

    [root@server ~]# ldapsearch -D "cn=Directory Manager" -w <directory_manager_password> -b "cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-cache-autosize nsslapd-cache-autosize: *10
nsslapd-cache-autosize-split: 25

You can adjust the Distinguished Names (DN) cache size to improve the performance of lookup operations in the IdM Directory Server.

Important

Do not change this settings, unless you have a strong need to apply your custom values. IdM Directory Server uses the built-in cache auto-sizing feature for optimized performance.

The nsslapd-dncachememsize attribute specifies the size, in bytes, for the available memory space for the Distinguished Names (DN) cache. The DN cache is similar to the entry cache for a database, but its table stores only the entry ID and the entry DN, which allows faster lookups for rename and moddn operations.

Expand
Table 7.5. nsslapd-dncachememsize attribute values

Default value

10485760 (10 MB)

Valid range

500000 - 18446744073709551615 (500 kB - (264-1))

Entry DN location

cn=database-name,cn=ldbm database,cn=plugins,cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Optional: Display the database suffixes and their corresponding database names. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend suffix list
dc=example,dc=com (userroot)

    This command displays the name of the back end database next to each suffix. Use the suffix’s database name in the next step.

  2. Set the DN cache size for the database. This example sets the DN cache to 20 megabytes. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend suffix set --dncache-memsize=20971520 userroot

  3. Restart the Directory Server. 

    [root@server ~]# systemctl restart dirsrv.target
  4. Monitor the IdM Directory Server’s performance. If it does not improve, repeat this procedure and adjust dncache-memsize to a different value, or back to the default of 10 MB.

Verification

  • Display the new value of the nsslapd-dncachememsize attribute and verify it has been set to your desired value. 

    [root@server ~]# ldapsearch -D "cn=Directory Manager" -w <directory_manager_password> -b "cn=userroot,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-dncachememsize
nsslapd-dncachememsize: 20971520

You can adjust the normalized DN cache size to retain more frequently used DNs in memory and improve lookup performance in the IdM Directory Server.

Important

Do not change this settings, unless you have a strong need to apply your custom values. IdM Directory Server uses the built-in cache auto-sizing feature for optimized performance.

The nsslapd-ndn-cache-max-size attribute controls the size, in bytes, of the cache that stores normalized distinguished names (NDNs). Increasing this value will retain more frequently used DNs in memory.

Expand
Table 7.6. nsslapd-ndn-cache-max-size attribute values

Default value

20971520 (20 MB)

Valid range

0 - 2147483647

Entry DN location

cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Ensure the NDN cache is enabled. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-ndn-cache-enabled
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-ndn-cache-enabled: on

    If the cache is off, enable it with the following command. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config replace nsslapd-ndn-cache-enabled=on
Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "nsslapd-ndn-cache-enabled"

  2. Retrieve the current value of the nsslapd-ndn-cache-max-size parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-ndn-cache-max-size
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-ndn-cache-max-size: 20971520

  3. Modify the value of the nsslapd-ndn-cache-max-size attribute. This example increases the value to 41943040 (40 MB). 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config replace nsslapd-ndn-cache-max-size=41943040
  4. Monitor the IdM Directory Server’s performance. If it does not improve, repeat this procedure and adjust nsslapd-ndn-cache-max-size to a different value, or re-enable cache auto-sizing.

Verification

  • Display the new value of the nsslapd-ndn-cache-max-size attribute and verify it has been set to your desired value. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-ndn-cache-max-size
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-ndn-cache-max-size: 41943040

Increase the maximum LDAP message size to support larger legitimate requests in IdM Directory Server. This prevents errors when adding entries or performing operations that exceed the default 2 MB limit.

The nsslapd-maxbersize attribute sets the maximum size in bytes allowed for an incoming message or LDAP request. Limiting the size of requests prevents some kinds of denial of service attacks.

If the maximum message size is too small, you might see the following error in the Directory Server error logs at /var/log/dirsrv/slapd-<instance_name>/errors: 

Incoming BER Element was too long, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.

The limit applies to the total size of the LDAP request. For example, if the request is to add an entry and if the entry in the request is larger than the configured value or the default, then the add request is denied. However, the limit is not applied to replication processes. Be cautious before changing this attribute.

Expand
Table 7.7. nsslapd-maxbersize attribute values

Default value

2097152 (2 MB)

Valid range

0 - 2147483647 (0 to 2 GB)

Entry DN location

cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-maxbersize parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-maxbersize
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-maxbersize: 2097152

  2. Modify the value of the nsslapd-maxbersize attribute. This example increases the value to 4194304, 4 MB. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config replace nsslapd-maxbersize=4194304

  3. Authenticate as the Directory Manager to make the configuration change. 

    Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "nsslapd-maxbersize"
  4. Monitor the IdM Directory Server’s performance. If it does not improve, repeat this procedure and adjust nsslapd-maxbersize to a different value, or back to the default of 2097152.

Verification

  • Display the value of the nsslapd-maxbersize attribute and verify it has been set to your desired value. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-maxbersize
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-maxbersize: 4194304

You can adjust the maximum number of file descriptors to handle more simultaneous client connections, log files, and socket resources in the IdM Directory Server.

A value can be defined for the DefaultLimitNOFILE parameter in the /etc/systemd/system.conf file. An administrator with root privileges can set the DefaultLimitNOFILE parameter for the ns-slapd process to a lower value by using the setrlimit command. This value then takes precedence over what is in /etc/systemd/system.conf and is accepted by the Identity Management (IdM) Directory Server (DS) as the value for the nsslapd-maxdescriptors attribute.

The nsslapd-maxdescriptors attribute sets the maximum, platform-dependent number of file descriptors that the IdM LDAP uses. File descriptors are used for client connections, log files, sockets, and other resources.

If no value is defined in either /etc/systemd/system.conf or by setrlimit, then IdM DS sets the nsslapd-maxdescriptors attribute to 1048576.

If an IdM DS administrator later decides to set a new value for nsslapd-maxdescriptors manually, then IdM DS compares the new value with what is defined locally, by setrlimit or in /etc/systemd/system.conf, with the following result:

  • If the new value for nsslapd-maxdescriptors is higher than what is defined locally, then the server rejects the new value setting and continues to enforce the local limit value as the high watermark value.
  • If the new value is lower than what is defined locally, then the new value will be used.

This procedure describes how to set a new value for nsslapd-maxdescriptors.

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-maxdescriptors parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-maxdescriptors
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-maxdescriptors: 4096

  2. Modify the value of the nsslapd-maxdescriptors attribute. This example increases the value to 8192. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config replace nsslapd-maxdescriptors=8192

  3. Authenticate as the Directory Manager to make the configuration change. 

    Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "nsslapd-maxdescriptors"
  4. Monitor the IdM Directory Server’s performance. If it does not improve, repeat this procedure and adjust nsslapd-maxdescriptors to a different value, or back to the default of 4096.

Verification

  • Display the value of the nsslapd-maxdescriptors attribute and verify it has been set to your desired value. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-maxdescriptors
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-maxdescriptors: 8192

You can increase the connection backlog size to handle more incoming LDAP requests before the IdM Directory Server starts refusing them.

The listen service sets the number of sockets available to receive incoming connections. The nsslapd-listen-backlog-size value sets the maximum length of the queue for the sockfd socket before refusing connections.

If your IdM environment handles a large amount of connections, consider increasing the value of nsslapd-listen-backlog-size.

Expand
Table 7.8. nsslapd-listen-backlog-size attribute values

Default value

128 queue slots

Valid range

0 - 9223372036854775807

Entry DN location

cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-listen-backlog-size parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-listen-backlog-size
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-listen-backlog-size: 128

  2. Modify the value of the nsslapd-listen-backlog-size attribute. This example increases the value to 192. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config replace nsslapd-listen-backlog-size=192

  3. Authenticate as the Directory Manager to make the configuration change. 

    Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "nsslapd-listen-backlog-size"

Verification

  • Display the value of the nsslapd-listen-backlog-size attribute and verify it has been set to your desired value. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-listen-backlog-size
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-listen-backlog-size: 192

You can increase the maximum number of database locks to resolve "out of available locks" errors in the IdM Directory Server.

Lock mechanisms control how many copies of Directory Server processes can run at the same time, and the nsslapd-db-locks parameter sets the maximum number of locks.

Increase the maximum number of locks if if you see the following error messages in the /var/log/dirsrv/slapd-<instance_name>/errors log file: 

libdb: Lock table is out of available locks
Expand
Table 7.9. nsslapd-db-locks attribute values

Default value

50000 locks

Valid range

0 - 2147483647

Entry DN location

cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-db-locks parameter and make a note of it before making any adjustments, in case it needs to be restored. 

    [root@server ~]# ldapsearch -D "cn=Directory Manager" -w <directory_manager_password> -b "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-db-locks
nsslapd-db-locks: 50000

  2. Modify the value of the locks attribute. This example doubles the value to 100000 locks. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend config set --locks=100000

  3. Authenticate as the Directory Manager to make the configuration change. 

    Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully updated database configuration

  4. Restart the Directory Server. 

    [root@server ~]# systemctl restart dirsrv.target

Verification

  • Display the value of the nsslapd-db-locks attribute and verify it has been set to your desired value. 

    [root@server ~]# ldapsearch -D "cn=directory manager" -w <directory_manager_password> -b "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-db-locks
nsslapd-db-locks: 100000

Disable Transparent Huge Pages (THP) to improve IdM Directory Server performance and reduce latency. THP can slow down directory operations due to how IdM accesses memory.

THP is a Linux memory management feature enabled by default on RHEL. While THP benefits applications with contiguous memory access, it can degrade IdM Directory Server performance because the directory uses sparse memory access patterns.

Procedure

You can adjust the I/O block timeout to close connections to stalled LDAP clients faster and free up resources in the IdM Directory Server.

The nsslapd-ioblocktimeout attribute sets the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.

Lower the value of the nsslapd-ioblocktimeout attribute to free up connections sooner.

Expand
Table 7.10. nsslapd-ioblocktimeout attribute values

Default value

10000 milliseconds

Valid range

0 - 2147483647

Entry DN location

cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-ioblocktimeout parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-ioblocktimeout
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-ioblocktimeout: 10000

  2. Modify the value of the nsslapd-ioblocktimeout attribute. This example lowers the value to 8000. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config replace nsslapd-ioblocktimeout=8000

  3. Authenticate as the Directory Manager to make the configuration change. 

    Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "nsslapd-ioblocktimeout"
  4. Monitor the IdM directory server’s performance. If it does not improve, repeat this procedure and adjust nsslapd-ioblocktimeout to a different value, or back to the default of 10000.

Verification

  • Display the value of the nsslapd-ioblocktimeout attribute and verify it has been set to your desired value. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-ioblocktimeout
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-ioblocktimeout: 8000

You can adjust the idle connection timeout to close stale connections while keeping active connections available in the IdM Directory Server.

The nsslapd-idletimeout attribute sets the amount of time in seconds after which an idle LDAP client connection is closed by the IdM server. A value of 0 means that the server never closes idle connections.

Red Hat recommends adjusting this value so stale connections are closed, but active connections are not closed prematurely.

Expand
Table 7.11. nsslapd-idletimeout attribute values

Default value

3600 seconds (1 hour)

Valid range

0 - 2147483647

Entry DN location

cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-idletimeout parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-idletimeout
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-idletimeout: 3600

  2. Modify the value of the nsslapd-idletimeout attribute. This example lowers the value to 1800 (30 minutes). 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config replace nsslapd-idletimeout=1800

  3. Authenticate as the Directory Manager to make the configuration change. 

    Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "nsslapd-idletimeout"
  4. Monitor the IdM directory server’s performance. If it does not improve, repeat this procedure and adjust nsslapd-idletimeout to a different value, or back to the default of 3600.

Verification

  • Display the value of the nsslapd-idletimeout attribute and verify it has been set to your desired value. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-idletimeout
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-idletimeout: 1800

7.13. Adjusting the replication release timeout
Copy link

You can adjust the replication release timeout to balance replication latency and update throughput between IdM replicas.

An IdM replica is exclusively locked during a replication session with another replica. In some environments, a replica is locked for a long time due to large updates or network congestion, which increases replication latency.

You can release a replica after a fixed amount of time by adjusting the repl-release-timeout parameter. Red Hat recommends setting this value between 30 and 120:

  • If the value is set too low, replicas are constantly reacquiring one another and replicas are not able to send larger updates.
  • A longer timeout can improve high-traffic situations where it is best if a server exclusively accesses a replica for longer amounts of time, but a value higher than 120 seconds slows down replication.
Expand
Table 7.12. repl-release-timeout attribute values

Default value

60 seconds

Valid range

0 - 2147483647

Recommended range

30 - 120

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Display the database suffixes and their corresponding back ends. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend suffix list
cn=changelog (changelog)
dc=example,dc=com (userroot)
o=ipaca (ipaca)

    This command displays the names of the back end databases next to their suffix. Use the suffix name in the next step.

  2. Modify the value of the repl-release-timeout attribute for the main userroot database. This example increases the value to 90 seconds. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> replication set --suffix="dc=example,dc=com" --repl-release-timeout=90

  3. Authenticate as the Directory Manager to make the configuration change. 

    Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "repl-release-timeout"

  4. Optional: If your IdM environment uses the IdM Certificate Authority (CA), you can modify the value of the repl-release-timeout attribute for the CA database. This example increases the value to 90 seconds. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> replication set *--suffix="o=ipaca" --repl-release-timeout=90*
Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "repl-release-timeout"

  5. Restart the Directory Server. 

    [root@server ~]# systemctl restart dirsrv.target
  6. Monitor the IdM Directory Server’s performance. If it does not improve, repeat this procedure and adjust repl-release-timeout to a different value, or back to the default of 60 seconds.

Verification

  • Display the value of the nsds5ReplicaReleaseTimeout attribute and verify it has been set to your desired value. 

    [root@server ~]# ldapsearch -D "cn=Directory Manager" -w <directory_manager_password> -b "cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" | grep nsds5ReplicaReleaseTimeout
nsds5ReplicaReleaseTimeout: 90
Note

The Distinguished Name of the suffix in this example is dc=example,dc=com, but the equals sign (=) and comma (,) must be escaped in the ldapsearch command.

Convert the suffix DN to cn=dc\3Dexample\2Cdc\3Dcom with the following escape characters:

  • \3D replacing =
  • \2C replacing ,
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top