Chapter 7. Adjusting IdM Directory Server performance
You can tune the performance of Identity Management’s databases by adjusting LDAP attributes controlling the Directory Server’s resources and behavior.
To adjust how the Directory Server caches data, see the following procedures:
To adjust the Directory Server’s resource limits, see the following procedures:
To adjust timeouts that have the most influence on performance, see the following procedures:
To install an IdM server or replica with custom Directory Server settings from an LDIF file, see the following procedure:
7.1. Adjusting the entry cache size
Red Hat recommends using the built-in cache auto-sizing feature for optimized performance. Only change this value if you need to purposely deviate from the auto-tuned values.
The nsslapd-cachememsize
attribute specifies the size, in bytes, for the available memory space for the entry cache. This attribute is one of the most important values for controlling how much physical RAM the directory server uses.
If the entry cache size is too small, you might see the following error in the Directory Server error logs in the /var/log/dirsrv/slapd-INSTANCE-NAME/errors
log file:
REASON: entry too large (83886080 bytes) for the import buffer size (67108864 bytes). Try increasing nsslapd-cachememsize.
Red Hat recommends fitting the entry cache and the database index entry cache in memory.
Default value |
|
Valid range |
|
Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Disable automatic cache tuning.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend config set --cache-autosize=0
Display the database suffixes and their corresponding back ends.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend suffix list cn=changelog (changelog) dc=example,dc=com (userroot) o=ipaca (ipaca)
This command displays the name of the back end database next to each suffix. Use the suffix’s database name in the next step.
Set the entry cache size for the database. This example sets the entry cache for the userroot database to 2 gigabytes.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend suffix set --cache-memsize=2147483648 userroot
Restart the Directory Server.
[root@server ~]# systemctl restart dirsrv.target
-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
cache-memsize
to a different value, or re-enable cache auto-sizing.
Verification
Display the value of the
nsslapd-cachememsize
attribute and verify it has been set to your desired value.[root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=userroot,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-cachememsize nsslapd-cachememsize: 2147483648
Additional resources
- nsslapd-cachememsize in Directory Server 11 documentation
- Re-enabling entry and database cache auto-sizing.
7.2. Adjusting the database index cache size
Red Hat recommends using the built-in cache auto-sizing feature for optimized performance. Only change this value if you need to purposely deviate from the auto-tuned values.
The nsslapd-dbcachesize
attribute controls the amount of memory the database indexes use. This cache size has less of an impact on Directory Server performance than the entry cache size does, but if there is available RAM after the entry cache size is set, Red Hat recommends increasing the amount of memory allocated to the database cache.
The database cache is limited to 1.5 GB RAM because higher values do not improve performance.
Default value |
|
Valid range |
|
Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Disable automatic cache tuning, and set the database cache size. This example sets the database cache to 256 megabytes.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend config set --cache-autosize=0 --dbcachesize=268435456
Restart the Directory Server.
[root@server ~]# systemctl restart dirsrv.target
-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
dbcachesize
to a different value, or re-enable cache auto-sizing.
Verification
Display the value of the
nsslapd-dbcachesize
attribute and verify it has been set to your desired value.[root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-dbcachesize nsslapd-dbcachesize: 2147483648
Additional resources
- nsslapd-dbcachesize in Directory Server 11 documentation
- Re-enabling entry and database cache auto-sizing.
7.3. Re-enabling database and entry cache auto-sizing
Red Hat recommends using the built-in cache auto-sizing feature for optimized performance. Red Hat does not recommend setting cache sizes manually.
By default, the IdM Directory Server automatically determines the optimal size for the database cache and entry cache. Auto-sizing sets aside a portion of free RAM and optimizes the size of both caches based on the hardware resources of the server when the instance starts.
Use this procedure to undo custom database cache and entry cache values and restore the cache auto-sizing feature to its default values.
|
This settings controls how much free RAM is allocated for auto-sizing the database and entry caches. A value of |
Default value |
|
Valid range |
|
Entry DN location |
|
|
This value sets the percentage of free memory determined by |
Default value |
|
Valid range |
|
Entry DN location |
|
Prerequisites
- You have previously disabled database and entry cache auto-tuning.
Procedure
Stop the Directory Server.
[root@server ~]# systemctl stop dirsrv.target
Backup the
/etc/dirsrv/slapd-instance_name/dse.ldif
file before making any further modifications.[root@server ~]# *cp /etc/dirsrv/slapd-instance_name/dse.ldif \ /etc/dirsrv/slapd-instance_name/dse.ldif.bak.$(date "+%F_%H-%M-%S")
Edit the
/etc/dirsrv/slapd-instance_name/dse.ldif
file:Set the percentage of free system RAM to use for the database and entry caches back to the default of 10% of free RAM.
nsslapd-cache-autosize: 10
Set the percentage used from the free system RAM for the database cache to the default of 25%:
nsslapd-cache-autosize-split: 25
-
Save your changes to the
/etc/dirsrv/slapd-instance_name/dse.ldif
file. Start the Directory Server.
[root@server ~]# systemctl start dirsrv.target
Verification
Display the values of the
nsslapd-cache-autosize
andnsslapd-cache-autosize-split
attributes and verify they have been set to your desired values.[root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-cache-autosize nsslapd-cache-autosize: *10 nsslapd-cache-autosize-split: 25
Additional resources
- nsslapd-cache-autosize in Directory Server 11 documentation
7.4. Adjusting the DN cache size
Red Hat recommends using the built-in cache auto-sizing feature for optimized performance. Only change this value if you need to purposely deviate from the auto-tuned values.
The nsslapd-dncachememsize
attribute specifies the size, in bytes, for the available memory space for the Distinguished Names (DN) cache. The DN cache is similar to the entry cache for a database, but its table stores only the entry ID and the entry DN, which allows faster lookups for rename
and moddn
operations.
Default value |
|
Valid range |
|
Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Optional: Display the database suffixes and their corresponding database names.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend suffix list dc=example,dc=com (userroot)
This command displays the name of the back end database next to each suffix. Use the suffix’s database name in the next step.
Set the DN cache size for the database. This example sets the DN cache to 20 megabytes.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend suffix set --dncache-memsize=20971520 userroot
Restart the Directory Server.
[root@server ~]# systemctl restart dirsrv.target
-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
dncache-memsize
to a different value, or back to the default of 10 MB.
Verification
Display the new value of the
nsslapd-dncachememsize
attribute and verify it has been set to your desired value.[root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=userroot,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-dncachememsize nsslapd-dncachememsize: 20971520
Additional resources
- nsslapd-dncachememsize in Directory Server 11 documentation
7.5. Adjusting the normalized DN cache size
Red Hat recommends using the built-in cache auto-sizing feature for optimized performance. Only change this value if you need to purposely deviate from the auto-tuned values.
The nsslapd-ndn-cache-max-size
attribute controls the size, in bytes, of the cache that stores normalized distinguished names (NDNs). Increasing this value will retain more frequently used DNs in memory.
Default value |
|
Valid range |
|
Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Ensure the NDN cache is enabled.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-ndn-cache-enabled Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-ndn-cache-enabled: on
If the cache is
off
, enable it with the following command.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-ndn-cache-enabled=on Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "nsslapd-ndn-cache-enabled"
Retrieve the current value of the
nsslapd-ndn-cache-max-size
parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-ndn-cache-max-size Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-ndn-cache-max-size: 20971520
Modify the value of the
nsslapd-ndn-cache-max-size
attribute. This example increases the value to41943040
(40 MB).[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-ndn-cache-max-size=41943040
-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
nsslapd-ndn-cache-max-size
to a different value, or re-enable cache auto-sizing.
Verification
Display the new value of the
nsslapd-ndn-cache-max-size
attribute and verify it has been set to your desired value.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-ndn-cache-max-size Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-ndn-cache-max-size: 41943040
Additional resources
- nsslapd-ndn-cache-max-size in Directory Server 11 documentation
7.6. Adjusting the maximum message size
The nsslapd-maxbersize
attribute sets the maximum size in bytes allowed for an incoming message or LDAP request. Limiting the size of requests prevents some kinds of denial of service attacks.
If the maximum message size is too small, you might see the following error in the Directory Server error logs at /var/log/dirsrv/slapd-INSTANCE-NAME/errors
:
Incoming BER Element was too long, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.
The limit applies to the total size of the LDAP request. For example, if the request is to add an entry and if the entry in the request is larger than the configured value or the default, then the add request is denied. However, the limit is not applied to replication processes. Be cautious before changing this attribute.
Default value |
|
Valid range |
|
Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Retrieve the current value of the
nsslapd-maxbersize
parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-maxbersize Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-maxbersize: 2097152
Modify the value of the
nsslapd-maxbersize
attribute. This example increases the value to4194304
, 4 MB.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-maxbersize=4194304
Authenticate as the Directory Manager to make the configuration change.
Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "nsslapd-maxbersize"
-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
nsslapd-maxbersize
to a different value, or back to the default of2097152
.
Verification
Display the value of the
nsslapd-maxbersize
attribute and verify it has been set to your desired value.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-maxbersize Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-maxbersize: 4194304
Additional resources
- nsslapd-maxbersize (Maximum Message Size) in Directory Server 11 documentation
7.7. Adjusting the maximum number of file descriptors
A value can be defined for the DefaultLimitNOFILE
parameter in the /etc/systemd/system.conf
file. An administrator with root
privileges can set the DefaultLimitNOFILE
parameter for the ns-slapd
process to a lower value by using the setrlimit
command. This value then takes precedence over what is in /etc/systemd/system.conf
and is accepted by the Identity Management (IdM) Directory Server (DS) as the value for the nsslapd-maxdescriptors
attribute.
The nsslapd-maxdescriptors
attribute sets the maximum, platform-dependent number of file descriptors that the IdM LDAP uses. File descriptors are used for client connections, log files, sockets, and other resources.
If no value is defined in either /etc/systemd/system.conf
or by setrlimit
, then IdM DS sets the nsslapd-maxdescriptors
attribute to 1048576.
If an IdM DS administrator later decides to set a new value for nsslapd-maxdescriptors
manually, then IdM DS compares the new value with what is defined locally, by setrlimit
or in /etc/systemd/system.conf
, with the following result:
-
If the new value for
nsslapd-maxdescriptors
is higher than what is defined locally, then the server rejects the new value setting and continues to enforce the local limit value as the high watermark value. - If the new value is lower than what is defined locally, then the new value will be used.
This procedure describes how to set a new value for nsslapd-maxdescriptors
.
Prerequisites
- The LDAP Directory Manager password
Procedure
Retrieve the current value of the
nsslapd-maxdescriptors
parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-maxdescriptors Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-maxdescriptors: 4096
Modify the value of the
nsslapd-maxdescriptors
attribute. This example increases the value to8192
.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-maxdescriptors=8192
Authenticate as the Directory Manager to make the configuration change.
Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "nsslapd-maxdescriptors"
-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
nsslapd-maxdescriptors
to a different value, or back to the default of4096
.
Verification
Display the value of the
nsslapd-maxdescriptors
attribute and verify it has been set to your desired value.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-maxdescriptors Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-maxdescriptors: 8192
Additional resources
- nsslapd-maxdescriptors (Maximum File Descriptors) in Directory Server 12 documentation
7.8. Adjusting the connection backlog size
The listen service sets the number of sockets available to receive incoming connections. The nsslapd-listen-backlog-size
value sets the maximum length of the queue for the sockfd
socket before refusing connections.
If your IdM environment handles a large amount of connections, consider increasing the value of nsslapd-listen-backlog-size
.
Default value |
|
Valid range |
|
Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Retrieve the current value of the
nsslapd-listen-backlog-size
parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-listen-backlog-size Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-listen-backlog-size: 128
Modify the value of the
nsslapd-listen-backlog-size
attribute. This example increases the value to192
.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-listen-backlog-size=192
Authenticate as the Directory Manager to make the configuration change.
Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "nsslapd-listen-backlog-size"
Verification
Display the value of the
nsslapd-listen-backlog-size
attribute and verify it has been set to your desired value.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-listen-backlog-size Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-listen-backlog-size: 192
Additional resources
- nsslapd-listen-backlog-size) in Directory Server 11 documentation
7.9. Adjusting the maximum number of database locks
Lock mechanisms control how many copies of Directory Server processes can run at the same time, and the nsslapd-db-locks
parameter sets the maximum number of locks.
Increase the maximum number of locks if if you see the following error messages in the /var/log/dirsrv/slapd-instance_name/errors
log file:
libdb: Lock table is out of available locks
Default value |
|
Valid range |
|
Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Retrieve the current value of the
nsslapd-db-locks
parameter and make a note of it before making any adjustments, in case it needs to be restored.[root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-db-locks nsslapd-db-locks: 50000
Modify the value of the
locks
attribute. This example doubles the value to100000
locks.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend config set --locks=100000
Authenticate as the Directory Manager to make the configuration change.
Enter password for cn=Directory Manager on ldap://server.example.com: Successfully updated database configuration
Restart the Directory Server.
[root@server ~]# systemctl restart dirsrv.target
Verification
Display the value of the
nsslapd-db-locks
attribute and verify it has been set to your desired value.[root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-db-locks nsslapd-db-locks: 100000
Additional resources
- nsslapd-db-locks in Directory Server 11 documentation
7.10. Disabling the Transparent Huge Pages feature
Transparent Huge Pages (THP) Linux memory management feature is enabled by default on RHEL. The THP feature can decrease the IdM Directory Server (DS) performance because DS has sparse memory access patterns.
How to disable the feature, see Disabling the Transparent Huge Pages feature in Red Hat Directory Server documentation.
Additional resources
7.11. Adjusting the input/output block timeout
The nsslapd-ioblocktimeout
attribute sets the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.
Lower the value of the nsslapd-ioblocktimeout
attribute to free up connections sooner.
Default value |
|
Valid range |
|
Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Retrieve the current value of the
nsslapd-ioblocktimeout
parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-ioblocktimeout Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-ioblocktimeout: 10000
Modify the value of the
nsslapd-ioblocktimeout
attribute. This example lowers the value to8000
.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-ioblocktimeout=8000
Authenticate as the Directory Manager to make the configuration change.
Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "nsslapd-ioblocktimeout"
-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
nsslapd-ioblocktimeout
to a different value, or back to the default of10000
.
Verification
Display the value of the
nsslapd-ioblocktimeout
attribute and verify it has been set to your desired value.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-ioblocktimeout Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-idletimeout: 8000
Additional resources
- nsslapd-ioblocktimeout (IO Block Time Out) in Directory Server 11 documentation
7.12. Adjusting the idle connection timeout
The nsslapd-idletimeout
attribute sets the amount of time in seconds after which an idle LDAP client connection is closed by the IdM server. A value of 0
means that the server never closes idle connections.
Red Hat recommends adjusting this value so stale connections are closed, but active connections are not closed prematurely.
Default value |
|
Valid range |
|
Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Retrieve the current value of the
nsslapd-idletimeout
parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-idletimeout Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-idletimeout: 3600
Modify the value of the
nsslapd-idletimeout
attribute. This example lowers the value to1800
(30 minutes).[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-idletimeout=1800
Authenticate as the Directory Manager to make the configuration change.
Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "nsslapd-idletimeout"
-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
nsslapd-idletimeout
to a different value, or back to the default of3600
.
Verification
Display the value of the
nsslapd-idletimeout
attribute and verify it has been set to your desired value.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-idletimeout Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-idletimeout: 3600
Additional resources
- nsslapd-idletimeout (Default Idle Timeout) in Directory Server 11 documentation
7.13. Adjusting the replication release timeout
An IdM replica is exclusively locked during a replication session with another replica. In some environments, a replica is locked for a long time due to large updates or network congestion, which increases replication latency.
You can release a replica after a fixed amount of time by adjusting the repl-release-timeout
parameter. Red Hat recommends setting this value between 30
and 120
:
- If the value is set too low, replicas are constantly reacquiring one another and replicas are not able to send larger updates.
-
A longer timeout can improve high-traffic situations where it is best if a server exclusively accesses a replica for longer amounts of time, but a value higher than
120
seconds slows down replication.
Default value |
|
Valid range |
|
Recommended range |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Display the database suffixes and their corresponding back ends.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend suffix list cn=changelog (changelog) dc=example,dc=com (userroot) o=ipaca (ipaca)
This command displays the names of the back end databases next to their suffix. Use the suffix name in the next step.
Modify the value of the
repl-release-timeout
attribute for the main userroot database. This example increases the value to90
seconds.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com replication set --suffix="dc=example,dc=com" --repl-release-timeout=90
Authenticate as the Directory Manager to make the configuration change.
Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "repl-release-timeout"
Optional: If your IdM environment uses the IdM Certificate Authority (CA), you can modify the value of the
repl-release-timeout
attribute for the CA database. This example increases the value to90
seconds.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com replication set --suffix="o=ipaca" --repl-release-timeout=90 Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "repl-release-timeout"
Restart the Directory Server.
[root@server ~]# systemctl restart dirsrv.target
-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
repl-release-timeout
to a different value, or back to the default of60
seconds.
Verification
Display the value of the
nsds5ReplicaReleaseTimeout
attribute and verify it has been set to your desired value.[root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" | grep nsds5ReplicaReleaseTimeout nsds5ReplicaReleaseTimeout: 90
The Distinguished Name of the suffix in this example is dc=example,dc=com
, but the equals sign (=
) and comma (,
) must be escaped in the ldapsearch
command.
Convert the suffix DN to cn=dc\3Dexample\2Cdc\3Dcom
with the following escape characters:
-
\3D
replacing=
-
\2C
replacing,
Additional resources
- nsDS5ReplicaReleaseTimeout in Directory Server 11 documentation
7.14. Installing an IdM server or replica with custom database settings from an LDIF file
You can install an IdM server and IdM replicas with custom settings for the Directory Server database. The following procedure shows you how to create an LDAP Data Interchange Format (LDIF) file with database settings, and how to pass those settings to the IdM server and replica installation commands.
Prerequisites
- You have determined custom Directory Server settings that improve the performance of your IdM environment. See Adjusting IdM Directory Server performance.
Procedure
Create a text file in LDIF format with your custom database settings. Separate LDAP attribute modifications with a dash (-). This example sets non-default values for the idle timeout and maximum file descriptors.
dn: cn=config changetype: modify replace: nsslapd-idletimeout nsslapd-idletimeout=1800 - replace: nsslapd-maxdescriptors nsslapd-maxdescriptors=8192
Use the
--dirsrv-config-file
parameter to pass the LDIF file to the installation script.To install an IdM server:
# ipa-server-install --dirsrv-config-file filename.ldif
To install an IdM replica:
# ipa-replica-install --dirsrv-config-file filename.ldif
Additional resources