Tuning the LDAP Connection Pool and LDAP Configurations

The amtune tool provided by OpenSSO Enterprise tunes parameter values for the following three LDAP connection pools:

• Realm User Authentication LDAP Connection Pool

• Realm Data Store LDAP Connection Pool

• OpenSSO Enterprise Configuration Store and SMS LDAP Connection Pools

In deployments with a subrealm, you must also tune the subrealm connection pools. Just like the root realm, each sub-realm can have its own user authentication LDAP connection pool and data store LDAP connection pool. You must tune these as well.

You can modify one or more of the three LDAP connection pool configurations . In each configuration, the recommended values are MIN=8 and MAX=32. Under some conditions, you can increase the MAX value up to 64. The following sections describe how to manually tune the connection pools:

• To Tune the User Authentication LDAP Configuration

• To Tune the Data Store LDAP Configuration

• To Tune the LDAP Configuration for the OpenSSO Enterprise Configuration Date Store

To Tune the User Authentication LDAP Configuration

You can modify the settings on one of the following depending upon the module you use for user authentication.

LDAP Authentication Module

This module is used only to authenticate the user. In the OpenSSO Enterprise console, under Configuration, click Authentication > Core.

Data Store Authentication Module

When the Data Store is as the authentication module, the Data Store LDAP connection pool settings are used. No additional Authentication connection pool settings are used.

To Tune the Data Store LDAP Configuration

The Data Store LDAP Configuration is used for retrieving user profiles and can also be used for authentication. If the Data Store Authentication module is used for authentication, then the recommended Data Store LDAP configuration settings are MIN=8 and MAX=64. You can modify the settings under Console > Access Control > Realm > Data Store.

To Tune the LDAP Configuration for the OpenSSO Enterprise Configuration Date Store

The configuration data store is used for storing all the OpenSSO Enterprise configurations and Policy Service configurations. Configuration data is stored in the config directory. The OpenSSO Enterprise server supports Sun Directory Server and the embedded OpenDS as the config data stores. You can configure the LDAP configuration for the config data store through the OpenSSO Enterprise administration console. Go to Configuration >Servers and Sites > server >Directory configuration.

1. Start by setting all the connection pool configurations with MIN=8 and MAX=32.

2. If you must make adjustments based on performance test results, adhere to the following requirements:

   • The MIN value should be at least 8.

   • The MAX value for any pool should not be greater than 64. The MAX value of 32 is enough for most typical deployments.

   Special requirements are outside the scope of this document.

3. After following steps 1 and 2, if low throughput or low response times persist, then try the following solutions:

   • Verify that the Directory Server instance is not at 100% CPU usage. If the Directory Server instance is at 100% and the throughput is still low, revisit the indexing on the Directory Server entries. Be sure that Directory Server indexing is configured properly.

   • Run load tests to verify that OpenSSO Enterprise logging is not causing performance to slow down. First run the tests with logging enabled, and then run the tests with logging disabled. If you find that logging is causing low response time, then you can tune the logging service through the OpenSSO Enterprise console. See the “Logging” section in Chapter 7, Configuration Attributes, in Sun OpenSSO Enterprise 8.0 Administration Reference.