Search

Chapter 7. Adjusting IdM Directory Server performance

download PDF

You can tune the performance of Identity Management’s databases by adjusting LDAP attributes controlling the Directory Server’s resources and behavior.

To adjust how the Directory Server caches data, see the following procedures:

To adjust the Directory Server’s resource limits, see the following procedures:

To adjust timeouts that have the most influence on performance, see the following procedures:

To install an IdM server or replica with custom Directory Server settings from an LDIF file, see the following procedure:

7.1. Adjusting the entry cache size

Important

Red Hat recommends using the built-in cache auto-sizing feature for optimized performance. Only change this value if you need to purposely deviate from the auto-tuned values.

The nsslapd-cachememsize attribute specifies the size, in bytes, for the available memory space for the entry cache. This attribute is one of the most important values for controlling how much physical RAM the directory server uses.

If the entry cache size is too small, you might see the following error in the Directory Server error logs in the /var/log/dirsrv/slapd-INSTANCE-NAME/errors log file:

REASON: entry too large (83886080 bytes) for the import buffer size (67108864 bytes).  Try increasing nsslapd-cachememsize.

Red Hat recommends fitting the entry cache and the database index entry cache in memory.

Default value

209715200 (200 MiB)

Valid range

500000 - 18446744073709551615 (500 kB - (264-1))

Entry DN location

cn=database-name,cn=ldbm database,cn=plugins,cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Disable automatic cache tuning.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend config set --cache-autosize=0
  2. Display the database suffixes and their corresponding back ends.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend suffix list
    cn=changelog (changelog)
    dc=example,dc=com (userroot)
    o=ipaca (ipaca)

    This command displays the name of the back end database next to each suffix. Use the suffix’s database name in the next step.

  3. Set the entry cache size for the database. This example sets the entry cache for the userroot database to 2 gigabytes.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend suffix set --cache-memsize=2147483648 userroot
  4. Restart the Directory Server.

    [root@server ~]# systemctl restart dirsrv.target
  5. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust cache-memsize to a different value, or re-enable cache auto-sizing.

Verification

  • Display the value of the nsslapd-cachememsize attribute and verify it has been set to your desired value.

    [root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=userroot,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-cachememsize
    nsslapd-cachememsize: 2147483648

Additional resources

7.2. Adjusting the database index cache size

Important

Red Hat recommends using the built-in cache auto-sizing feature for optimized performance. Only change this value if you need to purposely deviate from the auto-tuned values.

The nsslapd-dbcachesize attribute controls the amount of memory the database indexes use. This cache size has less of an impact on Directory Server performance than the entry cache size does, but if there is available RAM after the entry cache size is set, Red Hat recommends increasing the amount of memory allocated to the database cache.

The database cache is limited to 1.5 GB RAM because higher values do not improve performance.

Default value

10000000 (10 MB)

Valid range

500000 - 1610611911 (500 kB - 1.5GB)

Entry DN location

cn=config,cn=ldbm database,cn=plugins,cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Disable automatic cache tuning, and set the database cache size. This example sets the database cache to 256 megabytes.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend config set --cache-autosize=0 --dbcachesize=268435456
  2. Restart the Directory Server.

    [root@server ~]# systemctl restart dirsrv.target
  3. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust dbcachesize to a different value, or re-enable cache auto-sizing.

Verification

  • Display the value of the nsslapd-dbcachesize attribute and verify it has been set to your desired value.

    [root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-dbcachesize
    nsslapd-dbcachesize: 2147483648

Additional resources

7.3. Re-enabling database and entry cache auto-sizing

Important

Red Hat recommends using the built-in cache auto-sizing feature for optimized performance. Red Hat does not recommend setting cache sizes manually.

By default, the IdM Directory Server automatically determines the optimal size for the database cache and entry cache. Auto-sizing sets aside a portion of free RAM and optimizes the size of both caches based on the hardware resources of the server when the instance starts.

Use this procedure to undo custom database cache and entry cache values and restore the cache auto-sizing feature to its default values.

nsslapd-cache-autosize

This settings controls how much free RAM is allocated for auto-sizing the database and entry caches. A value of 0 disables auto-sizing.

Default value

10 (10% of free RAM)

Valid range

0 - 100

Entry DN location

cn=config,cn=ldbm database,cn=plugins,cn=config

nsslapd-cache-autosize-split

This value sets the percentage of free memory determined by nsslapd-cache-autosize that is used for the database cache. The remaining percentage is used for the entry cache.

Default value

25 (25% for the database cache, 60% for the entry cache)

Valid range

0 - 100

Entry DN location

cn=config,cn=ldbm database,cn=plugins,cn=config

Prerequisites

  • You have previously disabled database and entry cache auto-tuning.

Procedure

  1. Stop the Directory Server.

    [root@server ~]# systemctl stop dirsrv.target
  2. Backup the /etc/dirsrv/slapd-instance_name/dse.ldif file before making any further modifications.

    [root@server ~]# *cp /etc/dirsrv/slapd-instance_name/dse.ldif \
         /etc/dirsrv/slapd-instance_name/dse.ldif.bak.$(date "+%F_%H-%M-%S")
  3. Edit the /etc/dirsrv/slapd-instance_name/dse.ldif file:

    1. Set the percentage of free system RAM to use for the database and entry caches back to the default of 10% of free RAM.

      nsslapd-cache-autosize: 10
    2. Set the percentage used from the free system RAM for the database cache to the default of 25%:

      nsslapd-cache-autosize-split: 25
  4. Save your changes to the /etc/dirsrv/slapd-instance_name/dse.ldif file.
  5. Start the Directory Server.

    [root@server ~]# systemctl start dirsrv.target

Verification

  • Display the values of the nsslapd-cache-autosize and nsslapd-cache-autosize-split attributes and verify they have been set to your desired values.

    [root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-cache-autosize nsslapd-cache-autosize: *10
    nsslapd-cache-autosize-split: 25

Additional resources

7.4. Adjusting the DN cache size

Important

Red Hat recommends using the built-in cache auto-sizing feature for optimized performance. Only change this value if you need to purposely deviate from the auto-tuned values.

The nsslapd-dncachememsize attribute specifies the size, in bytes, for the available memory space for the Distinguished Names (DN) cache. The DN cache is similar to the entry cache for a database, but its table stores only the entry ID and the entry DN, which allows faster lookups for rename and moddn operations.

Default value

10485760 (10 MB)

Valid range

500000 - 18446744073709551615 (500 kB - (264-1))

Entry DN location

cn=database-name,cn=ldbm database,cn=plugins,cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Optional: Display the database suffixes and their corresponding database names.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend suffix list
    dc=example,dc=com (userroot)

    This command displays the name of the back end database next to each suffix. Use the suffix’s database name in the next step.

  2. Set the DN cache size for the database. This example sets the DN cache to 20 megabytes.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend suffix set --dncache-memsize=20971520 userroot
  3. Restart the Directory Server.

    [root@server ~]# systemctl restart dirsrv.target
  4. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust dncache-memsize to a different value, or back to the default of 10 MB.

Verification

  • Display the new value of the nsslapd-dncachememsize attribute and verify it has been set to your desired value.

    [root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=userroot,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-dncachememsize
    nsslapd-dncachememsize: 20971520

Additional resources

7.5. Adjusting the normalized DN cache size

Important

Red Hat recommends using the built-in cache auto-sizing feature for optimized performance. Only change this value if you need to purposely deviate from the auto-tuned values.

The nsslapd-ndn-cache-max-size attribute controls the size, in bytes, of the cache that stores normalized distinguished names (NDNs). Increasing this value will retain more frequently used DNs in memory.

Default value

20971520 (20 MB)

Valid range

0 - 2147483647

Entry DN location

cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Ensure the NDN cache is enabled.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-ndn-cache-enabled
    Enter password for cn=Directory Manager on ldap://server.example.com:
    nsslapd-ndn-cache-enabled: on

    If the cache is off, enable it with the following command.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-ndn-cache-enabled=on
    Enter password for cn=Directory Manager on ldap://server.example.com:
    Successfully replaced "nsslapd-ndn-cache-enabled"
  2. Retrieve the current value of the nsslapd-ndn-cache-max-size parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-ndn-cache-max-size
    Enter password for cn=Directory Manager on ldap://server.example.com:
    nsslapd-ndn-cache-max-size: 20971520
  3. Modify the value of the nsslapd-ndn-cache-max-size attribute. This example increases the value to 41943040 (40 MB).

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-ndn-cache-max-size=41943040
  4. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust nsslapd-ndn-cache-max-size to a different value, or re-enable cache auto-sizing.

Verification

  • Display the new value of the nsslapd-ndn-cache-max-size attribute and verify it has been set to your desired value.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-ndn-cache-max-size
    Enter password for cn=Directory Manager on ldap://server.example.com:
    nsslapd-ndn-cache-max-size: 41943040

Additional resources

7.6. Adjusting the maximum message size

The nsslapd-maxbersize attribute sets the maximum size in bytes allowed for an incoming message or LDAP request. Limiting the size of requests prevents some kinds of denial of service attacks.

If the maximum message size is too small, you might see the following error in the Directory Server error logs at /var/log/dirsrv/slapd-INSTANCE-NAME/errors:

Incoming BER Element was too long, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.

The limit applies to the total size of the LDAP request. For example, if the request is to add an entry and if the entry in the request is larger than the configured value or the default, then the add request is denied. However, the limit is not applied to replication processes. Be cautious before changing this attribute.

Default value

2097152 (2 MB)

Valid range

0 - 2147483647 (0 to 2 GB)

Entry DN location

cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-maxbersize parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-maxbersize
    Enter password for cn=Directory Manager on ldap://server.example.com:
    nsslapd-maxbersize: 2097152
  2. Modify the value of the nsslapd-maxbersize attribute. This example increases the value to 4194304, 4 MB.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-maxbersize=4194304
  3. Authenticate as the Directory Manager to make the configuration change.

    Enter password for cn=Directory Manager on ldap://server.example.com:
    Successfully replaced "nsslapd-maxbersize"
  4. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust nsslapd-maxbersize to a different value, or back to the default of 2097152.

Verification

  • Display the value of the nsslapd-maxbersize attribute and verify it has been set to your desired value.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-maxbersize
    Enter password for cn=Directory Manager on ldap://server.example.com:
    nsslapd-maxbersize: 4194304

Additional resources

7.7. Adjusting the maximum number of file descriptors

A value can be defined for the DefaultLimitNOFILE parameter in the /etc/systemd/system.conf file. An administrator with root privileges can set the DefaultLimitNOFILE parameter for the ns-slapd process to a lower value by using the setrlimit command. This value then takes precedence over what is in /etc/systemd/system.conf and is accepted by the Identity Management (IdM) Directory Server (DS) as the value for the nsslapd-maxdescriptors attribute.

The nsslapd-maxdescriptors attribute sets the maximum, platform-dependent number of file descriptors that the IdM LDAP uses. File descriptors are used for client connections, log files, sockets, and other resources.

If no value is defined in either /etc/systemd/system.conf or by setrlimit, then IdM DS sets the nsslapd-maxdescriptors attribute to 1048576.

If an IdM DS administrator later decides to set a new value for nsslapd-maxdescriptors manually, then IdM DS compares the new value with what is defined locally, by setrlimit or in /etc/systemd/system.conf, with the following result:

  • If the new value for nsslapd-maxdescriptors is higher than what is defined locally, then the server rejects the new value setting and continues to enforce the local limit value as the high watermark value.
  • If the new value is lower than what is defined locally, then the new value will be used.

This procedure describes how to set a new value for nsslapd-maxdescriptors.

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-maxdescriptors parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-maxdescriptors
    Enter password for cn=Directory Manager on ldap://server.example.com:
    nsslapd-maxdescriptors: 4096
  2. Modify the value of the nsslapd-maxdescriptors attribute. This example increases the value to 8192.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-maxdescriptors=8192
  3. Authenticate as the Directory Manager to make the configuration change.

    Enter password for cn=Directory Manager on ldap://server.example.com:
    Successfully replaced "nsslapd-maxdescriptors"
  4. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust nsslapd-maxdescriptors to a different value, or back to the default of 4096.

Verification

  • Display the value of the nsslapd-maxdescriptors attribute and verify it has been set to your desired value.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-maxdescriptors
    Enter password for cn=Directory Manager on ldap://server.example.com:
    nsslapd-maxdescriptors: 8192

Additional resources

7.8. Adjusting the connection backlog size

The listen service sets the number of sockets available to receive incoming connections. The nsslapd-listen-backlog-size value sets the maximum length of the queue for the sockfd socket before refusing connections.

If your IdM environment handles a large amount of connections, consider increasing the value of nsslapd-listen-backlog-size.

Default value

128 queue slots

Valid range

0 - 9223372036854775807

Entry DN location

cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-listen-backlog-size parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-listen-backlog-size
    Enter password for cn=Directory Manager on ldap://server.example.com:
    nsslapd-listen-backlog-size: 128
  2. Modify the value of the nsslapd-listen-backlog-size attribute. This example increases the value to 192.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-listen-backlog-size=192
  3. Authenticate as the Directory Manager to make the configuration change.

    Enter password for cn=Directory Manager on ldap://server.example.com:
    Successfully replaced "nsslapd-listen-backlog-size"

Verification

  • Display the value of the nsslapd-listen-backlog-size attribute and verify it has been set to your desired value.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-listen-backlog-size
    Enter password for cn=Directory Manager on ldap://server.example.com:
    nsslapd-listen-backlog-size: 192

Additional resources

7.9. Adjusting the maximum number of database locks

Lock mechanisms control how many copies of Directory Server processes can run at the same time, and the nsslapd-db-locks parameter sets the maximum number of locks.

Increase the maximum number of locks if if you see the following error messages in the /var/log/dirsrv/slapd-instance_name/errors log file:

libdb: Lock table is out of available locks

Default value

50000 locks

Valid range

0 - 2147483647

Entry DN location

cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-db-locks parameter and make a note of it before making any adjustments, in case it needs to be restored.

    [root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-db-locks
    nsslapd-db-locks: 50000
  2. Modify the value of the locks attribute. This example doubles the value to 100000 locks.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend config set --locks=100000
  3. Authenticate as the Directory Manager to make the configuration change.

    Enter password for cn=Directory Manager on ldap://server.example.com:
    Successfully updated database configuration
  4. Restart the Directory Server.

    [root@server ~]# systemctl restart dirsrv.target

Verification

  • Display the value of the nsslapd-db-locks attribute and verify it has been set to your desired value.

    [root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-db-locks
    nsslapd-db-locks: 100000

Additional resources

7.10. Disabling the Transparent Huge Pages feature

Transparent Huge Pages (THP) Linux memory management feature is enabled by default on RHEL. The THP feature can decrease the IdM Directory Server (DS) performance because DS has sparse memory access patterns.

How to disable the feature, see Disabling the Transparent Huge Pages feature in Red Hat Directory Server documentation.

7.11. Adjusting the input/output block timeout

The nsslapd-ioblocktimeout attribute sets the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.

Lower the value of the nsslapd-ioblocktimeout attribute to free up connections sooner.

Default value

10000 milliseconds

Valid range

0 - 2147483647

Entry DN location

cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-ioblocktimeout parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-ioblocktimeout
    Enter password for cn=Directory Manager on ldap://server.example.com:
    nsslapd-ioblocktimeout: 10000
  2. Modify the value of the nsslapd-ioblocktimeout attribute. This example lowers the value to 8000.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-ioblocktimeout=8000
  3. Authenticate as the Directory Manager to make the configuration change.

    Enter password for cn=Directory Manager on ldap://server.example.com:
    Successfully replaced "nsslapd-ioblocktimeout"
  4. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust nsslapd-ioblocktimeout to a different value, or back to the default of 10000.

Verification

  • Display the value of the nsslapd-ioblocktimeout attribute and verify it has been set to your desired value.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-ioblocktimeout
    Enter password for cn=Directory Manager on ldap://server.example.com:
    nsslapd-idletimeout: 8000

Additional resources

7.12. Adjusting the idle connection timeout

The nsslapd-idletimeout attribute sets the amount of time in seconds after which an idle LDAP client connection is closed by the IdM server. A value of 0 means that the server never closes idle connections.

Red Hat recommends adjusting this value so stale connections are closed, but active connections are not closed prematurely.

Default value

3600 seconds (1 hour)

Valid range

0 - 2147483647

Entry DN location

cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-idletimeout parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-idletimeout
    Enter password for cn=Directory Manager on ldap://server.example.com:
    nsslapd-idletimeout: 3600
  2. Modify the value of the nsslapd-idletimeout attribute. This example lowers the value to 1800 (30 minutes).

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-idletimeout=1800
  3. Authenticate as the Directory Manager to make the configuration change.

    Enter password for cn=Directory Manager on ldap://server.example.com:
    Successfully replaced "nsslapd-idletimeout"
  4. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust nsslapd-idletimeout to a different value, or back to the default of 3600.

Verification

  • Display the value of the nsslapd-idletimeout attribute and verify it has been set to your desired value.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-idletimeout
    Enter password for cn=Directory Manager on ldap://server.example.com:
    nsslapd-idletimeout: 3600

Additional resources

7.13. Adjusting the replication release timeout

An IdM replica is exclusively locked during a replication session with another replica. In some environments, a replica is locked for a long time due to large updates or network congestion, which increases replication latency.

You can release a replica after a fixed amount of time by adjusting the repl-release-timeout parameter. Red Hat recommends setting this value between 30 and 120:

  • If the value is set too low, replicas are constantly reacquiring one another and replicas are not able to send larger updates.
  • A longer timeout can improve high-traffic situations where it is best if a server exclusively accesses a replica for longer amounts of time, but a value higher than 120 seconds slows down replication.

Default value

60 seconds

Valid range

0 - 2147483647

Recommended range

30 - 120

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Display the database suffixes and their corresponding back ends.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend suffix list
    cn=changelog (changelog)
    dc=example,dc=com (userroot)
    o=ipaca (ipaca)

    This command displays the names of the back end databases next to their suffix. Use the suffix name in the next step.

  2. Modify the value of the repl-release-timeout attribute for the main userroot database. This example increases the value to 90 seconds.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com replication set --suffix="dc=example,dc=com" --repl-release-timeout=90
  3. Authenticate as the Directory Manager to make the configuration change.

    Enter password for cn=Directory Manager on ldap://server.example.com:
    Successfully replaced "repl-release-timeout"
  4. Optional: If your IdM environment uses the IdM Certificate Authority (CA), you can modify the value of the repl-release-timeout attribute for the CA database. This example increases the value to 90 seconds.

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com replication set --suffix="o=ipaca" --repl-release-timeout=90
    Enter password for cn=Directory Manager on ldap://server.example.com:
    Successfully replaced "repl-release-timeout"
  5. Restart the Directory Server.

    [root@server ~]# systemctl restart dirsrv.target
  6. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust repl-release-timeout to a different value, or back to the default of 60 seconds.

Verification

  • Display the value of the nsds5ReplicaReleaseTimeout attribute and verify it has been set to your desired value.

    [root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" | grep nsds5ReplicaReleaseTimeout
    nsds5ReplicaReleaseTimeout: 90
Note

The Distinguished Name of the suffix in this example is dc=example,dc=com, but the equals sign (=) and comma (,) must be escaped in the ldapsearch command.

Convert the suffix DN to cn=dc\3Dexample\2Cdc\3Dcom with the following escape characters:

  • \3D replacing =
  • \2C replacing ,

Additional resources

7.14. Installing an IdM server or replica with custom database settings from an LDIF file

You can install an IdM server and IdM replicas with custom settings for the Directory Server database. The following procedure shows you how to create an LDAP Data Interchange Format (LDIF) file with database settings, and how to pass those settings to the IdM server and replica installation commands.

Prerequisites

Procedure

  1. Create a text file in LDIF format with your custom database settings. Separate LDAP attribute modifications with a dash (-). This example sets non-default values for the idle timeout and maximum file descriptors.

    dn: cn=config
    changetype: modify
    replace: nsslapd-idletimeout
    nsslapd-idletimeout=1800
    -
    replace: nsslapd-maxdescriptors
    nsslapd-maxdescriptors=8192
  2. Use the --dirsrv-config-file parameter to pass the LDIF file to the installation script.

    1. To install an IdM server:

      # ipa-server-install --dirsrv-config-file filename.ldif
    2. To install an IdM replica:

      # ipa-replica-install --dirsrv-config-file filename.ldif

7.15. Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.