Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 7. Adjusting IdM Directory Server performance

You can tune the performance of Identity Management’s databases by adjusting LDAP attributes controlling the Directory Server’s resources and behavior.

You can fine-tune the following:

  • Adjust how the Directory Server caches data.
  • Adjust the Directory Server’s resource limits.
  • Adjust timeouts that have the most influence on performance.
  • Install an IdM server or replica with custom Directory Server settings from an LDIF file.
Important

Do not change this settings, unless you have a strong need to apply your custom values. IdM Directory Server uses the built-in cache auto-sizing feature for optimized performance.

The nsslapd-cachememsize attribute specifies the size, in bytes, for the available memory space for the entry cache. This attribute is one of the most important values for controlling how much physical RAM the Directory Server uses.

If the entry cache size is too small, you might see the following error in the Directory Server error logs in the /var/log/dirsrv/slapd-<instance_name>/errors log file: 

REASON: entry too large (83886080 bytes) for the import buffer size (67108864 bytes).  Try increasing nsslapd-cachememsize.
Copy to Clipboard Toggle word wrap

Red Hat recommends fitting the entry cache and the database index entry cache in memory.

Expand
Table 7.1. nsslapd-cachememsize attribute values

Default value

209715200 (200 MiB)

Valid range

500000 - 18446744073709551615 (500 kB - (264-1))

Entry DN location

cn=<database_name>,cn=ldbm database,cn=plugins,cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Disable automatic cache tuning. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend config set --cache-autosize=0
    Copy to Clipboard Toggle word wrap

  2. Display the database suffixes and their corresponding back ends. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend suffix list
cn=changelog (changelog)
dc=example,dc=com (userroot)
o=ipaca (ipaca)
    Copy to Clipboard Toggle word wrap

    This command displays the name of the back end database next to each suffix. Use the suffix’s database name in the next step.

  3. Set the entry cache size for the database. This example sets the entry cache for the userroot database to 2 gigabytes. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend suffix set --cache-memsize=2147483648 userroot
    Copy to Clipboard Toggle word wrap

  4. Restart the Directory Server. 

    [root@server ~]# systemctl restart dirsrv.target
    Copy to Clipboard Toggle word wrap
  5. Monitor the IdM Directory Server’s performance. If it does not improve, repeat this procedure and adjust cache-memsize to a different value, or re-enable cache auto-sizing.

Verification

  • Display the value of the nsslapd-cachememsize attribute and verify it has been set to your desired value. 

    [root@server ~]# ldapsearch -D "cn=Directory Manager" -w <directory_manager_password> -b "cn=userroot,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-cachememsize
nsslapd-cachememsize: 2147483648
    Copy to Clipboard Toggle word wrap
Important

Do not change this settings, unless you have a strong need to apply your custom values. IdM Directory Server uses the built-in cache auto-sizing feature for optimized performance.

The nsslapd-dbcachesize attribute controls the amount of memory the database indexes use. This cache size has less of an impact on Directory Server performance than the entry cache size does, but if there is available RAM after the entry cache size is set, Red Hat recommends increasing the amount of memory allocated to the database cache.

The database cache is limited to 1.5 GB RAM because higher values do not improve performance.

Expand
Table 7.2. nsslapd-dbcachesize attribute values

Default value

10000000 (10 MB)

Valid range

500000 - 1610611911 (500 kB - 1.5GB)

Entry DN location

cn=config,cn=ldbm database,cn=plugins,cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Disable automatic cache tuning, and set the database cache size. This example sets the database cache to 256 megabytes. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend config set --cache-autosize=0 --dbcachesize=268435456
    Copy to Clipboard Toggle word wrap

  2. Restart the Directory Server. 

    [root@server ~]# systemctl restart dirsrv.target
    Copy to Clipboard Toggle word wrap
  3. Monitor the IdM Directory Server’s performance. If it does not improve, repeat this procedure and adjust dbcachesize to a different value, or re-enable cache auto-sizing.

Verification

  • Display the value of the nsslapd-dbcachesize attribute and verify it has been set to your desired value. 

    [root@server ~]# ldapsearch -D "cn=Directory Manager" -w <directory_manager_password> -b "cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-dbcachesize
nsslapd-dbcachesize: 2147483648
    Copy to Clipboard Toggle word wrap
Important

Use the built-in cache auto-sizing feature for optimized performance. Do not set cache sizes manually.

By default, the IdM Directory Server automatically determines the optimal size for the database cache and entry cache. Auto-sizing sets aside a portion of free RAM and optimizes the size of both caches based on the hardware resources of the server when the instance starts.

Use this procedure to undo custom database cache and entry cache values and restore the cache auto-sizing feature to its default values.

Expand
Table 7.3. nsslapd-cache-autosize attribute values

nsslapd-cache-autosize

This settings controls how much free RAM is allocated for auto-sizing the database and entry caches. A value of 0 disables auto-sizing.

Default value

10 (10% of free RAM)

Valid range

0 - 100

Entry DN location

cn=config,cn=ldbm database,cn=plugins,cn=config

Expand
Table 7.4. nsslapd-cache-autosize-split attribute values

nsslapd-cache-autosize-split

This value sets the percentage of free memory determined by nsslapd-cache-autosize that is used for the database cache. The remaining percentage is used for the entry cache.

Default value

25 (25% for the database cache, 60% for the entry cache)

Valid range

0 - 100

Entry DN location

cn=config,cn=ldbm database,cn=plugins,cn=config

Prerequisites

  • You have previously disabled database and entry cache auto-tuning.

Procedure

  1. Stop the Directory Server. 

    [root@server ~]# systemctl stop dirsrv.target
    Copy to Clipboard Toggle word wrap

  2. Backup the /etc/dirsrv/slapd-<instance_name>/dse.ldif file before making any further modifications. 

    [root@server ~]# cp /etc/dirsrv/slapd-<instance_name>/dse.ldif \ /etc/dirsrv/slapd-<instance_name>/dse.ldif.bak.$(date "+%F_%H-%M-%S")
    Copy to Clipboard Toggle word wrap

  3. Edit the /etc/dirsrv/slapd-<instance_name>/dse.ldif file:

    1. Set the percentage of free system RAM to use for the database and entry caches back to the default of 10% of free RAM. 

      nsslapd-cache-autosize: 10
      Copy to Clipboard Toggle word wrap

    2. Set the percentage used from the free system RAM for the database cache to the default of 25%: 

      nsslapd-cache-autosize-split: 25
      Copy to Clipboard Toggle word wrap
  4. Save your changes to the /etc/dirsrv/slapd-<instance_name>/dse.ldif file.

  5. Start the Directory Server. 

    [root@server ~]# systemctl start dirsrv.target
    Copy to Clipboard Toggle word wrap

Verification

  • Display the values of the nsslapd-cache-autosize and nsslapd-cache-autosize-split attributes and verify they have been set to your desired values. 

    [root@server ~]# ldapsearch -D "cn=Directory Manager" -w <directory_manager_password> -b "cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-cache-autosize nsslapd-cache-autosize: *10
nsslapd-cache-autosize-split: 25
    Copy to Clipboard Toggle word wrap

7.4. Adjusting the DN cache size in the IdM Directory Server
Copier lien

Important

Do not change this settings, unless you have a strong need to apply your custom values. IdM Directory Server uses the built-in cache auto-sizing feature for optimized performance.

The nsslapd-dncachememsize attribute specifies the size, in bytes, for the available memory space for the Distinguished Names (DN) cache. The DN cache is similar to the entry cache for a database, but its table stores only the entry ID and the entry DN, which allows faster lookups for rename and moddn operations.

Expand
Table 7.5. nsslapd-dncachememsize attribute values

Default value

10485760 (10 MB)

Valid range

500000 - 18446744073709551615 (500 kB - (264-1))

Entry DN location

cn=database-name,cn=ldbm database,cn=plugins,cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Optional: Display the database suffixes and their corresponding database names. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend suffix list
dc=example,dc=com (userroot)
    Copy to Clipboard Toggle word wrap

    This command displays the name of the back end database next to each suffix. Use the suffix’s database name in the next step.

  2. Set the DN cache size for the database. This example sets the DN cache to 20 megabytes. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend suffix set --dncache-memsize=20971520 userroot
    Copy to Clipboard Toggle word wrap

  3. Restart the Directory Server. 

    [root@server ~]# systemctl restart dirsrv.target
    Copy to Clipboard Toggle word wrap
  4. Monitor the IdM Directory Server’s performance. If it does not improve, repeat this procedure and adjust dncache-memsize to a different value, or back to the default of 10 MB.

Verification

  • Display the new value of the nsslapd-dncachememsize attribute and verify it has been set to your desired value. 

    [root@server ~]# ldapsearch -D "cn=Directory Manager" -w <directory_manager_password> -b "cn=userroot,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-dncachememsize
nsslapd-dncachememsize: 20971520
    Copy to Clipboard Toggle word wrap
Important

Do not change this settings, unless you have a strong need to apply your custom values. IdM Directory Server uses the built-in cache auto-sizing feature for optimized performance.

The nsslapd-ndn-cache-max-size attribute controls the size, in bytes, of the cache that stores normalized distinguished names (NDNs). Increasing this value will retain more frequently used DNs in memory.

Expand
Table 7.6. nsslapd-ndn-cache-max-size attribute values

Default value

20971520 (20 MB)

Valid range

0 - 2147483647

Entry DN location

cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Ensure the NDN cache is enabled. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-ndn-cache-enabled
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-ndn-cache-enabled: on
    Copy to Clipboard Toggle word wrap

    If the cache is off, enable it with the following command. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config replace nsslapd-ndn-cache-enabled=on
Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "nsslapd-ndn-cache-enabled"
    Copy to Clipboard Toggle word wrap

  2. Retrieve the current value of the nsslapd-ndn-cache-max-size parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-ndn-cache-max-size
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-ndn-cache-max-size: 20971520
    Copy to Clipboard Toggle word wrap

  3. Modify the value of the nsslapd-ndn-cache-max-size attribute. This example increases the value to 41943040 (40 MB). 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config replace nsslapd-ndn-cache-max-size=41943040
    Copy to Clipboard Toggle word wrap
  4. Monitor the IdM Directory Server’s performance. If it does not improve, repeat this procedure and adjust nsslapd-ndn-cache-max-size to a different value, or re-enable cache auto-sizing.

Verification

  • Display the new value of the nsslapd-ndn-cache-max-size attribute and verify it has been set to your desired value. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-ndn-cache-max-size
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-ndn-cache-max-size: 41943040
    Copy to Clipboard Toggle word wrap

The nsslapd-maxbersize attribute sets the maximum size in bytes allowed for an incoming message or LDAP request. Limiting the size of requests prevents some kinds of denial of service attacks.

If the maximum message size is too small, you might see the following error in the Directory Server error logs at /var/log/dirsrv/slapd-<instance_name>/errors: 

Incoming BER Element was too long, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.
Copy to Clipboard Toggle word wrap

The limit applies to the total size of the LDAP request. For example, if the request is to add an entry and if the entry in the request is larger than the configured value or the default, then the add request is denied. However, the limit is not applied to replication processes. Be cautious before changing this attribute.

Expand
Table 7.7. nsslapd-maxbersize attribute values

Default value

2097152 (2 MB)

Valid range

0 - 2147483647 (0 to 2 GB)

Entry DN location

cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-maxbersize parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-maxbersize
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-maxbersize: 2097152
    Copy to Clipboard Toggle word wrap

  2. Modify the value of the nsslapd-maxbersize attribute. This example increases the value to 4194304, 4 MB. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config replace nsslapd-maxbersize=4194304
    Copy to Clipboard Toggle word wrap

  3. Authenticate as the Directory Manager to make the configuration change. 

    Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "nsslapd-maxbersize"
    Copy to Clipboard Toggle word wrap
  4. Monitor the IdM Directory Server’s performance. If it does not improve, repeat this procedure and adjust nsslapd-maxbersize to a different value, or back to the default of 2097152.

Verification

  • Display the value of the nsslapd-maxbersize attribute and verify it has been set to your desired value. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-maxbersize
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-maxbersize: 4194304
    Copy to Clipboard Toggle word wrap

A value can be defined for the DefaultLimitNOFILE parameter in the /etc/systemd/system.conf file. An administrator with root privileges can set the DefaultLimitNOFILE parameter for the ns-slapd process to a lower value by using the setrlimit command. This value then takes precedence over what is in /etc/systemd/system.conf and is accepted by the Identity Management (IdM) Directory Server (DS) as the value for the nsslapd-maxdescriptors attribute.

The nsslapd-maxdescriptors attribute sets the maximum, platform-dependent number of file descriptors that the IdM LDAP uses. File descriptors are used for client connections, log files, sockets, and other resources.

If no value is defined in either /etc/systemd/system.conf or by setrlimit, then IdM DS sets the nsslapd-maxdescriptors attribute to 1048576.

If an IdM DS administrator later decides to set a new value for nsslapd-maxdescriptors manually, then IdM DS compares the new value with what is defined locally, by setrlimit or in /etc/systemd/system.conf, with the following result:

  • If the new value for nsslapd-maxdescriptors is higher than what is defined locally, then the server rejects the new value setting and continues to enforce the local limit value as the high watermark value.
  • If the new value is lower than what is defined locally, then the new value will be used.

This procedure describes how to set a new value for nsslapd-maxdescriptors.

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-maxdescriptors parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-maxdescriptors
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-maxdescriptors: 4096
    Copy to Clipboard Toggle word wrap

  2. Modify the value of the nsslapd-maxdescriptors attribute. This example increases the value to 8192. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config replace nsslapd-maxdescriptors=8192
    Copy to Clipboard Toggle word wrap

  3. Authenticate as the Directory Manager to make the configuration change. 

    Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "nsslapd-maxdescriptors"
    Copy to Clipboard Toggle word wrap
  4. Monitor the IdM Directory Server’s performance. If it does not improve, repeat this procedure and adjust nsslapd-maxdescriptors to a different value, or back to the default of 4096.

Verification

  • Display the value of the nsslapd-maxdescriptors attribute and verify it has been set to your desired value. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-maxdescriptors
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-maxdescriptors: 8192
    Copy to Clipboard Toggle word wrap

The listen service sets the number of sockets available to receive incoming connections. The nsslapd-listen-backlog-size value sets the maximum length of the queue for the sockfd socket before refusing connections.

If your IdM environment handles a large amount of connections, consider increasing the value of nsslapd-listen-backlog-size.

Expand
Table 7.8. nsslapd-listen-backlog-size attribute values

Default value

128 queue slots

Valid range

0 - 9223372036854775807

Entry DN location

cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-listen-backlog-size parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-listen-backlog-size
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-listen-backlog-size: 128
    Copy to Clipboard Toggle word wrap

  2. Modify the value of the nsslapd-listen-backlog-size attribute. This example increases the value to 192. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config replace nsslapd-listen-backlog-size=192
    Copy to Clipboard Toggle word wrap

  3. Authenticate as the Directory Manager to make the configuration change. 

    Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "nsslapd-listen-backlog-size"
    Copy to Clipboard Toggle word wrap

Verification

  • Display the value of the nsslapd-listen-backlog-size attribute and verify it has been set to your desired value. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-listen-backlog-size
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-listen-backlog-size: 192
    Copy to Clipboard Toggle word wrap

Lock mechanisms control how many copies of Directory Server processes can run at the same time, and the nsslapd-db-locks parameter sets the maximum number of locks.

Increase the maximum number of locks if if you see the following error messages in the /var/log/dirsrv/slapd-<instance_name>/errors log file: 

libdb: Lock table is out of available locks
Copy to Clipboard Toggle word wrap
Expand
Table 7.9. nsslapd-db-locks attribute values

Default value

50000 locks

Valid range

0 - 2147483647

Entry DN location

cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-db-locks parameter and make a note of it before making any adjustments, in case it needs to be restored. 

    [root@server ~]# ldapsearch -D "cn=Directory Manager" -w <directory_manager_password> -b "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-db-locks
nsslapd-db-locks: 50000
    Copy to Clipboard Toggle word wrap

  2. Modify the value of the locks attribute. This example doubles the value to 100000 locks. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend config set --locks=100000
    Copy to Clipboard Toggle word wrap

  3. Authenticate as the Directory Manager to make the configuration change. 

    Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully updated database configuration
    Copy to Clipboard Toggle word wrap

  4. Restart the Directory Server. 

    [root@server ~]# systemctl restart dirsrv.target
    Copy to Clipboard Toggle word wrap

Verification

  • Display the value of the nsslapd-db-locks attribute and verify it has been set to your desired value. 

    [root@server ~]# ldapsearch -D "cn=directory manager" -w <directory_manager_password> -b "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-db-locks
nsslapd-db-locks: 100000
    Copy to Clipboard Toggle word wrap

Transparent Huge Pages (THP) Linux memory management feature is enabled by default on RHEL. The THP feature can decrease the IdM Directory Server (DS) performance because DS has sparse memory access patterns.

How to disable the feature, see Disabling the Transparent Huge Pages feature in Red Hat Directory Server documentation.

The nsslapd-ioblocktimeout attribute sets the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.

Lower the value of the nsslapd-ioblocktimeout attribute to free up connections sooner.

Expand
Table 7.10. nsslapd-ioblocktimeout attribute values

Default value

10000 milliseconds

Valid range

0 - 2147483647

Entry DN location

cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-ioblocktimeout parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-ioblocktimeout
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-ioblocktimeout: 10000
    Copy to Clipboard Toggle word wrap

  2. Modify the value of the nsslapd-ioblocktimeout attribute. This example lowers the value to 8000. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config replace nsslapd-ioblocktimeout=8000
    Copy to Clipboard Toggle word wrap

  3. Authenticate as the Directory Manager to make the configuration change. 

    Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "nsslapd-ioblocktimeout"
    Copy to Clipboard Toggle word wrap
  4. Monitor the IdM directory server’s performance. If it does not improve, repeat this procedure and adjust nsslapd-ioblocktimeout to a different value, or back to the default of 10000.

Verification

  • Display the value of the nsslapd-ioblocktimeout attribute and verify it has been set to your desired value. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-ioblocktimeout
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-idletimeout: 8000
    Copy to Clipboard Toggle word wrap

The nsslapd-idletimeout attribute sets the amount of time in seconds after which an idle LDAP client connection is closed by the IdM server. A value of 0 means that the server never closes idle connections.

Red Hat recommends adjusting this value so stale connections are closed, but active connections are not closed prematurely.

Expand
Table 7.11. nsslapd-idletimeout attribute values

Default value

3600 seconds (1 hour)

Valid range

0 - 2147483647

Entry DN location

cn=config

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Retrieve the current value of the nsslapd-idletimeout parameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-idletimeout
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-idletimeout: 3600
    Copy to Clipboard Toggle word wrap

  2. Modify the value of the nsslapd-idletimeout attribute. This example lowers the value to 1800 (30 minutes). 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config replace nsslapd-idletimeout=1800
    Copy to Clipboard Toggle word wrap

  3. Authenticate as the Directory Manager to make the configuration change. 

    Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "nsslapd-idletimeout"
    Copy to Clipboard Toggle word wrap
  4. Monitor the IdM directory server’s performance. If it does not improve, repeat this procedure and adjust nsslapd-idletimeout to a different value, or back to the default of 3600.

Verification

  • Display the value of the nsslapd-idletimeout attribute and verify it has been set to your desired value. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> config get nsslapd-idletimeout
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-idletimeout: 3600
    Copy to Clipboard Toggle word wrap

7.13. Adjusting the replication release timeout
Copier lien

An IdM replica is exclusively locked during a replication session with another replica. In some environments, a replica is locked for a long time due to large updates or network congestion, which increases replication latency.

You can release a replica after a fixed amount of time by adjusting the repl-release-timeout parameter. Red Hat recommends setting this value between 30 and 120:

  • If the value is set too low, replicas are constantly reacquiring one another and replicas are not able to send larger updates.
  • A longer timeout can improve high-traffic situations where it is best if a server exclusively accesses a replica for longer amounts of time, but a value higher than 120 seconds slows down replication.
Expand
Table 7.12. repl-release-timeout attribute values

Default value

60 seconds

Valid range

0 - 2147483647

Recommended range

30 - 120

Prerequisites

  • The LDAP Directory Manager password

Procedure

  1. Display the database suffixes and their corresponding back ends. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> backend suffix list
cn=changelog (changelog)
dc=example,dc=com (userroot)
o=ipaca (ipaca)
    Copy to Clipboard Toggle word wrap

    This command displays the names of the back end databases next to their suffix. Use the suffix name in the next step.

  2. Modify the value of the repl-release-timeout attribute for the main userroot database. This example increases the value to 90 seconds. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> replication set --suffix="dc=example,dc=com" --repl-release-timeout=90
    Copy to Clipboard Toggle word wrap

  3. Authenticate as the Directory Manager to make the configuration change. 

    Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "repl-release-timeout"
    Copy to Clipboard Toggle word wrap

  4. Optional: If your IdM environment uses the IdM Certificate Authority (CA), you can modify the value of the repl-release-timeout attribute for the CA database. This example increases the value to 90 seconds. 

    [root@server ~]# dsconf -D "cn=Directory Manager" ldap://<server_fqdn> replication set *--suffix="o=ipaca" --repl-release-timeout=90*
Enter password for cn=Directory Manager on ldap://server.example.com:
Successfully replaced "repl-release-timeout"
    Copy to Clipboard Toggle word wrap

  5. Restart the Directory Server. 

    [root@server ~]# systemctl restart dirsrv.target
    Copy to Clipboard Toggle word wrap
  6. Monitor the IdM Directory Server’s performance. If it does not improve, repeat this procedure and adjust repl-release-timeout to a different value, or back to the default of 60 seconds.

Verification

  • Display the value of the nsds5ReplicaReleaseTimeout attribute and verify it has been set to your desired value. 

    [root@server ~]# ldapsearch -D "cn=Directory Manager" -w <directory_manager_password> -b "cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" | grep nsds5ReplicaReleaseTimeout
nsds5ReplicaReleaseTimeout: 90
    Copy to Clipboard Toggle word wrap
Note

The Distinguished Name of the suffix in this example is dc=example,dc=com, but the equals sign (=) and comma (,) must be escaped in the ldapsearch command.

Convert the suffix DN to cn=dc\3Dexample\2Cdc\3Dcom with the following escape characters:

  • \3D replacing =
  • \2C replacing ,
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat