Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java(TM) System Directory Server 5 2004Q2 Performance Tuning Guide 

Chapter 6
Managing Use of Other Resources

After optimizing cache size, attribute value indexing, and log management, it may prove useful to tune how Directory Server limits resources made available to client applications, and how Directory Server makes use of system resources. It may also prove useful to reconfigure and even disable some features offered as Directory Server plug-ins. This chapter includes the following sections:

Limiting Resources Available to Clients

Default configuration may allow client applications to use more Directory Server resources than are actually required. This may leave the door open to accidentally or intentionally abusive client applications negatively impacting server performance, by opening many connections then leaving them idle or unused, launching costly and unnecessary unindexed searches, or storing enormous and unplanned for binary attribute values in the directory.

In some deployment situations, it is not advisable to modify the default configuration. For deployments in which you opt not to change the configuration attribute values mentioned in this section, consider using Sun Java System Directory Proxy Server software to set limits externally, and to help protect against denial of service attacks.

In some deployment situations, one instance of Directory Server must support both directory-intensive client applications such as messaging servers and occasional directory clients such as user mail applications. In such situations, consider using bind DN-based resource limits as described in the Directory Server Administration Guide to raise individual limits for directory-intensive applications.

The recommendations in Table 6-1 address settings for limiting resources available to all client applications. These limits do not apply to the Directory Manager user, so ensure client applications do not connect as the Directory Manager user.

Table 6-1  Tuning Recommendations for Limiting Resources Available to Clients 

Configuration Entry DN and Attribute

Short Description and Tuning Recommendations

dn: cn=config

nsslapd-idletimeout

Sets the time in seconds after which Directory Server closes an idle client connection. Here idle means that the connection remains open, yet no operations are requested. By default, no time limit is set.

Some applications, such as messaging servers, may open a pool of connections that remain idle when traffic is low, but that should not be closed. Ideally, you might dedicate a replica to support the application in this case. If that is not possible, consider bind DN-based limits.

In any case, set this value high enough not to close connections that other applications expect to remain open, but set it low enough that connections cannot be left idle abusively. Consider setting it to 7200 (2 hours), for example.

 

dn: cn=config

nsslapd-ioblocktimeout

Sets the time in milliseconds after which Directory Server closes a stalled client connection. Here stalled means that the server is blocked either sending output to the client or reading input from the client.

For Directory Server instances particularly exposed to denial of service attacks, consider lowering this value from the default of 1,800,000 milliseconds (30 minutes).

 

dn: cn=config,cn=ldbm  database,cn=plugins,cn=config

nsslapd-lookthroughlimit

Sets the maximum number of candidate entries checked for matches during a search.

Some applications, such as messaging servers, may need to search the entire directory. Ideally, you might dedicate a replica to support the application in this case. If that is not possible, consider bind DN-based limits.

In any case, consider lowering this value from the default of 5000 entries, but not below the threshold value of nsslapd-sizelimit.

dn: cn=config

nsslapd-maxbersize

Sets the maximum size in bytes for an incoming ASN.1 message encoded according to Basic Encoding Rules (BER). Directory Server rejects requests to add entries larger than this limit.

If you are confident you can accurately anticipate maximum entry size for your directory data, consider changing this value from the default of 2097152 (2 MB) to the size of the largest expected directory entry.

The next largest size limit for an update is the size of the transaction log file, nsslapd-db-logfile-size, which by default is 10 MB.

 

dn: cn=config

nsslapd-maxthreadsperconn

Sets the maximum number of threads per client connection.

Some applications, such as messaging servers, may open a pool of connections and may issue many requests on each connection. Ideally, you might dedicate a replica to support the application in this case. If that is not possible, consider bind DN-based limits.

If you anticipate that some applications may perform many requests per connection, consider increasing this value from the default of 5, but do not increase it to more than 10. It is typically not advisable to specify more than 10 threads per connection.

 

dn: cn=config

nsslapd-sizelimit

Sets the maximum number of entries Directory Server returns in response to a search request.

Some applications, such as messaging servers, may need to search the entire directory. Ideally, you might dedicate a replica to support the application in this case. If that is not possible, consider bind DN-based limits.

In any case, consider lowering this value from the default of 2000 entries.

 

dn: cn=config

nsslapd-timelimit

Sets the maximum number of seconds Directory Server allows for handling a search request.

Some applications, such as messaging servers, may need to perform very large searches. Ideally, you might dedicate a replica to support the application in this case. If that is not possible, consider bind DN-based limits.

In any case, set this value as low as you can and still meet deployment requirements. The default value of 3600 seconds (1 hour) is larger than necessary for many deployments. Consider using 600 seconds (10 minutes) as a starting point for optimization tests.

Refer to the Directory Server Administration Reference for details concerning individual configuration attributes.

Using Available System Resources

Depending on deployment requirements, you may choose to tune how a Directory Server instance uses system and network resources, how access control is managed, and how server plug-ins are configured. The recommendations in Table 6-2 address settings for system resources.

Table 6-2  Tuning Recommendations for Configuring Use of System Resources 

Attribute (on dn: cn=config)

Short Description and Tuning Recommendations

nsslapd-listenhost

Sets the hostname for the IP interface on which Directory Server listens. This attribute is single-valued.

Default behavior is to listen on all interfaces. The default behavior is adapted for high volume deployments using redundant network interfaces for availability and throughput.

Consider setting this value when deploying on a multihomed system, or when listening only for IPv4 or IPv6 traffic on a system supporting each protocol through a separate interface. Consider setting nsslapd-securelistenhost when using SSL.

 

nsslapd-maxdescriptors

Sets the maximum number of file descriptors Directory Server attempts to use.

The default value is the maximum number of file descriptors allowed for a process on the system at the time when the Directory Server instance is created. The maximum value corresponds to the maximum number of file descriptors allowed for a process on the system. Refer to your operating system documentation for details.

Directory Server uses file descriptors to handle client connections, and to maintain files internally. If the error log indicates Directory Server sometimes stops listening for new connections because not enough file descriptors are available, increasing the value of this attribute may increase the number of client connections Directory Server can handle simultaneously.

If you have increased the number of file descriptors available on the system as described in File Descriptors, then set the value of this attribute accordingly. The value of this attribute should be less than or equal to the maximum number of file descriptors available on the system.

nsslapd-nagle

Sets whether to delay sending of TCP packets at the socket-level.

Consider setting this to on if you need to reduce network traffic.

 

nsslapd-reservedescriptors

Sets the number of file descriptors Directory Server maintains to manage indexing, replication and other internal processing. Such file descriptors become unavailable to handle client connections.

Consider increasing the value of this attribute from the default of 64 if all of the following are true.

  • Directory Server replicates to more than 10 consumers or Directory Server maintains more than 30 index files.
  • Directory Server handles a large number of client connections.
  • Messages in the error log suggest Directory Server is running out of file descriptors for operations not related to client connections.

Notice that as the number of reserved file descriptors increases, the number of file descriptors available to handle client connections decreases. If you increase the value of this attribute, consider increasing the number of file descriptors available on the system, and increasing the value of nsslapd-maxdescriptors.

If you decide to change this attribute, for a first estimate of the number of file descriptors to reserve, try setting the value of nsslapd-reservedescriptors to:

20 + 4 * (number of databases) + (total number of indexes) + (value of nsoperationconnectionslimit) * (number of chaining backends) + ReplDescriptors + PTADescriptors + SSLDescriptors

Where ReplDescriptors = number of supplier replica + 8 if replication is used, PTADescriptors is 3 if the Pass Through Authentication (PTA) plug-in is enabled (0 otherwise), and SSLDescriptors is 5 if SSL is used (0 otherwise).

The number of databases is the same as the number of suffixes for the instance, unless the instance is configured to use more than one database per suffix. Verify estimates through empirical testing.

 

nsslapd-securelistenhost

Sets the hostname for the IP interface on which Directory Server listens for SSL connections. This attribute is single-valued.

Default behavior is to listen on all interfaces. Consider this attribute in the same way as nsslapd-listenhost.

nsslapd-threadnumber

Sets the number of threads Directory Server uses.

Consider adjusting the value of this attribute if any of the following are true:

  • Client applications perform many simultaneous, time-consuming operations such as updates or complex searches.
  • Directory Server supports many simultaneous client connections.

Multiprocessor systems can sustain larger thread pools than single processor systems. As a first estimate when optimizing the value of this attribute, use two times the number of processors or 20 + number of simultaneous updates. Consider also adjusting the maximum number of threads per client connection, nsslapd-maxthreadsperconn, as discussed in Table 6-1. The maximum number of these threads handling client connections cannot exceed the maximum number of file descriptors available on the system. In some cases, it may prove useful to reduce, rather than increase, the value of this attribute.

Verify estimates through empirical testing. Results depend not only on the particular deployment situation but also on the underlying system.

Refer to the Directory Server Administration Reference for details concerning individual configuration attributes.

Managing Access Control

Directory Server now offers performance and scalability improvements for Access Control Instructions (ACIs) such as better memory management and support for macro ACIs. Improvements notwithstanding, Directory Server uses significant system resources to evaluate complex ACIs. Extensive use of complex ACIs can therefore negatively impact performance.

Macro ACIs help you limit the number of ACIs used. By limiting the number of ACIs, you render access control easier to manage and reduce the load on the system. Macros are placeholders that represent a DN, or a portion of a DN, in an ACI. A macro can be used in an ACI target, in an ACI bind rule, or in both. When Directory Server receives a request, it checks which ACI macros match against the resource targeted for the resulting operation. If a macro matches, Directory Server replaces it with the value of the actual DN. Directory Server then evaluates the ACI normally. For more information on ACIs, refer to the Directory Server Administration Guide.

Testing has demonstrated that Directory Server can support more than 50,000 ACIs. The impact on performance for various deployment scenarios is currently under analysis. Keep the number of ACIs as small as possible to limit negative impact on performance, and to reduce the complexity of managing access controls. For deployments involving complex ACI environments, consider using Sun Java System Directory Proxy Server to provide some access control features.

Configuring Server Plug-Ins

Directory Server implements many key features such as access control, replication, syntax checking, and attribute uniqueness using plug-ins. In the context of a particular deployment, you may find it useful to reconfigure some plug-ins. The recommendations in Table 6-3 address settings for some standard plug-ins.

Table 6-3  Tuning Recommendations for Some Standard Plug-Ins 

Name and DN

Short Description and Tuning Recommendations

7-Bit Check Plug-In

dn: cn=7-bit  check,cn=plugins,cn=config

Allows Directory Server to check that attribute values are 7-bit clean. That is, that attribute values provided contain only those characters that fit in 7-bit encoding.

You may choose to disable this plug-in (default on) if the infrastructure is designed to support wider encodings such as Japanese characters, for example.

 

Legacy Replication Plug-In

dn: cn=Legacy Replication  Plugin,cn=plugins,cn=config

Allows Directory Server to function as a consumer of a 4.x supplier.

Unless you intend to use Directory Server as a consumer of a 4.x supplier during an upgrade for example, turn this plug-in off (on by default in case 4.x replication capabilities are required).

Referential Integrity Plug-In

dn: cn=referential integrity  postoperation,cn=plugins,cn=config

Allows Directory Server to ensure relationships between related entries are maintained. For example, when a user entry is removed from the directory or renamed, the groups to which the user belonged are updated as needed without manual intervention.

Enable and configure this plug-in on all masters. Set the nsslapd-pluginarg0 to a positive value, such as 10 (seconds) to ensure that work performed by this plug-in happens asynchronously, rather than synchronously.

When enabling the plug-in, also create equality indexes for all attributes configured for use with the plug-in. The plug-in uses such indexes when searching for entries to update. Without equality indexes for the attributes it uses, the plug-in must perform costly unindexed searches that have negative impact on performance.

Refer to the Directory Server Administration Guide for instructions on configuring and enabling the plug-in.

Refer to the Directory Server Administration Reference for details concerning individual configuration attributes.



Previous      Contents      Index      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.