This chapter describes the Directory Server features that help you tune your deployment for best performance. The Directory Server itself also includes improvements to the performance of almost all operations.
This chapter covers the following topics:
For fast response time to client requests, Directory Server caches directory information in memory. For top performance, you can tune your suffix entry cache settings to optimize performance. Directory Server provides easier control of cache sizing, and once tuned, the server adheres strictly to the cache setting.
You tune your cache size using the dsconf command. See the dsconf(1M) man page for more details.
This section describes the main features of the Directory Server cache:
Directory Server allows you to strictly control the use of memory for cache purposes so that less memory is used. You specify a low and high threshold for dynamic memory use. When this threshold is reached, Directory Server attempts to free memory from the suffix entry caches and to keep memory use under control. If the server reaches the high threshold, the server goes into aggressive mode to free memory. Performance is only effected when the high threshold is reached.
This feature provides two configurable thresholds: a soft threshold and a hard threshold. When the soft threshold is reached, Directory Server attempts to free memory concurrently with other operations. When the hard threshold is reached, operations on the cache are prevented while memory is being freed. These two thresholds are defined by two server properties:
heap-high-threshold-size specifies the hard threshold.
heap-low-threshold-size specifies the soft threshold.
See the server(5dsconf) man page for details on the two server properties.
The size of the cache determines how the memory is allocated. For example, if the cache is less than two Gbytes, the server uses one memory pool. If the cache size is larger than two Gbytes, the server optimizes cache memory allocation by using as many pools as necessary, with each pool dedicated to a particular size.
See the server(5dsconf) man page for details about the cache size properties that you can set.
This version of Directory Server brings improvements to time-based log rotation, rotate on-demand functionality for access, error, and audit logs, and configurable permissions for log files. It also provides more flexible logging of users involved in proxy authorization.
The following sections describe changes that have been made in the logging functionality of Directory Server.
Directory Server supports rotating and deleting logs not only after a specified interval, but also at a specified time. This feature lets you more easily perform operations such as log analysis and trending, as each rotated log file covers the same length of time. This feature can also be used to meet auditing and security requirements because it makes it easier to determine the specific period of time covered by a given log file.
You can specify whether to rotate the log according to a time interval or according to the size of the log file. The following figure illustrates using the DSCC to configure log rotation to occur once a week at midnight, as well as to rotate the log files when the size limit exceeds 100 Mbytes:
See the log(5dsconf) man page for details on the rotation-time log property.
For example, from the command line, you can display the current configuration for the access log as follows:
$ dsconf get-log-prop -p 20390 enabled : on level : default max-age : 1M max-disk-space-size : 500M max-file-count : 10 max-size : 100M min-free-disk-space-size : 5M path : /install-path/sA1/logs/access perm : 600 rotation-interval : 1d rotation-min-file-size : unlimited rotation-time : undefined verbose-enabled : N/A
You can change the rotation interval for the access log through the command line as follows:
$ dsconf set-log-prop -p 20390 rotation-interval:2d
You can manually rotate Directory Server access, error, and audit logs. This feature is useful when you want the server to stop writing to the current log file while you examine the file. You might also choose to use this feature with system scheduler utilities in addition to time-based log rotation.
You can rotate the access log by using the DSCC. The following figure illustrates the logging configuration screen and the Rotate Log File Now button. Clicking this button allows you to close the current log file and start a new one.
To rotate the access log from the command line, type the following:
$ dsconf rotate-log-now -p 20390
See the dsconf(1M) man page for details on the rotate-log-now subcommand.
Directory Server provides the ability to configure the permissions with which the log file is created, allowing you to change permissions to logs from the default value. This feature lets you tightly control what the user who starts the server can do. At the same time, you can permit specific applications and other users to access key, time-dependent information contained in the logs.
Directory Server enables you to specify the permissions with which a log file will be created.
Log file creation permissions can be set using the dsconf command or using the DSCC as illustrated in the following figure.
See the log(5dsconf) man page for details on the perm log property.
You can now monitor the number of persistent searches that are running on the server, and set a maximum number of persistent searches. To monitor the number of persistent searches, view the value for the currentpsearches attribute, which is stored under cn=monitor. To set a maximum number of persistent searches, use the command dsconf set-server-prop max-psearch-count:number. This feature is useful for troubleshooting and preventing performance issues related to persistent searches.
To read more about the features presented in this chapter, refer to the following documentation.
Defining your Directory Server performance requirements
Introduction to caches and how Directory Server uses them
Tuning cache settings for better performance
Introduction to Directory Server logging
Managing Directory Server logs