Red Hat Directory Server-8.2-Performance Tuning Guide-En-US

Dude McDude

Red Hat Directory Server 8.2Performance Tuning Guide

Optimizing performance on Red Hat Directory Server 8.2Edition 8.2.1

Red Hat Directory Server 8.2 Performance Tuning Guide

Optimizing performance on Red Hat Directory Server 8.2Edition 8.2.1

Dude McDudeMy Org Best Div in the [email protected]

Legal Notice

Copyright © 2010 Red Hat, Inc..

This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 UnportedLicense. If you distribute this document, or a modified version of it, you must provide attribution to RedHat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must beremoved.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo,and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.

Java ® is a registered trademark of Oracle and/or its affiliates.

XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United Statesand/or other countries.

MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and othercountries.

Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to orendorsed by the official Joyent Node.js open source or commercial project.

The OpenStack ® Word Mark and OpenStack Logo are either registered trademarks/service marks ortrademarks/service marks of the OpenStack Foundation, in the United States and other countries andare used with the OpenStack Foundation's permission. We are not affiliated with, endorsed orsponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Abstract

This article provides some procedures and options that administrators can use to optimize theperformance of their Red Hat Directory Server deployments. Performance tuning a Directory Serverinstance is unique to each server because of differences for every server in its machine environment,directory size and data type, load and network use, even the types of operations that users and clientsperform. The purpose of this article is to highlight the features that Red Hat Directory Server provides fortracking and assessing server and database performance. There are also some procedures given tohelp tune server performance. For more in-depth planning information, however, check out the Red HatDirectory Server Deployment Guide, and for exhaustive command-line and UI-based administrativeinstructions, see the Red Hat Directory Server Administrator's Guide.

http://creativecommons.org/licenses/by-sa/3.0/

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Table of Contents

1. Intro to Directory Server Performance Tuning1.1. Setting Goals for Directory Server Performance1.2. Giving Feedback

2. Tracking Server and Database Performance2.1. Monitoring Server Activity

2.1.1. Monitoring the Server from the Directory Server Console2.1.2. Monitoring the Directory Server from the Command Line

2.2. Monitoring Database Activity2.3. Monitoring Database Link Activity2.4. Viewing Log Files2.5. Replacing Log Files with a Named Pipe2.6. Improving Logging Performance

3. Optimizing System Performance3.1. Tuning and Sizing System Memory

3.1.1. Setting the Minimum System Page Cache3.1.2. Managing the Swap Space3.1.3. Tuning for 32-Bit Systems

3.2. Using dsktune for Preliminary Tuning3.3. Tuning File Descriptors

3.3.1. Resetting the Host Machine's File Descriptors3.3.2. Setting Directory Server File Descriptor Values

3.4. Setting Shell Limits for the Directory Server User3.4.1. Setting Shell Limits for File Descriptors3.4.2. Setting Shell Limits for the Max Number of Processes

3.5. Tuning TCP Ports3.6. Changing Firewall Settings for the Directory Server Console3.7. DNS Requirements

4 . Improving Search Performance (and Balancing Read Performance)4.1. Using Indexes4.2. Tuning Directory Server Resource Settings4.3. Setting Index Scan Limits4.4. Tuning the Database Cache for Searches4.5. Tuning the Database Settings for Searches4.6. Managing Special Entries

5. Tuning Transaction Logging5.1. Changing the Location of the Database Transaction Log5.2. Changing the Database Checkpoint Interval5.3. Disabling Durable Transactions5.4. Specifying Transaction Batching

6. Managing the Database Cache Settings6.1. Tuning Entry Cache6.2. Tuning Database Cache

7. Tuning Database Link Performance7.1. Managing Connections to the Remote Server

7.1.1. Managing Connections to the Remote Server Using the Console7.1.2. Managing Connections to the Remote Server from the Command Line

7.2. Detecting Errors During Normal Processing

334

4559

1116171819

202121212122222323242425252526

26262829293031

3132323333

343435

3636363839

Table of Contents

1

7.3. Managing Threaded Operations 40


2

1. Intro to Directory Server Performance TuningThis article provides some procedures and options that administrators can use to optimize theperformance of their Red Hat Directory Server deployments. Performance tuning a Directory Serverinstance is unique to each server because of differences for every server in its machine environment,directory size and data type, load and network use, even the types of operations that users and clientsperform.

The purpose of this article is to highlight the features that Red Hat Directory Server provides for trackingand assessing server and database performance. There are also some procedures given to help tuneserver performance. For more in-depth planning information, however, check out the Red Hat DirectoryServer Deployment Guide, and for exhaustive command-line and UI-based administrative instructions,see the Red Hat Directory Server Administrator's Guide.

The performance tuning features here apply to Red Hat Directory Server 8.2.

1.1. Setting Goals for Directory Server PerformancePerformance tuning is simply a way to identify potential (or real) bottlenecks in the normal operatingenvironment of the server and then taking steps to mitigate those bottlenecks.

The general plan for performance tuning is:

1. Assess the environment. Look at everything around the Directory Server: its usage, the load, thenetwork connection and reliability, most common operations, the physical machine its on, alongwith any services competing for its resources.

2. Measure the current Directory Server performance and establish baselines.

3. Identify the server areas which can be improved.

4. Make any changes to the Directory Server settings and, potentially, to the host machine.

5. Measure the Directory Server performance again to see how the changes affected theperformance.

Directory Server provides some sort of monitoring in three areas:

The server process (counters and logs)

The databases (counters)

Any database links (counters)

In the Directory Server, most performance measurements are going to be how well the Directory Serverretrieves and delivers information to clients. With that in mind, these are the server areas that can betuned for the best Directory Server performance (and these are the areas covered in this article):

Search operations

Indexing performance (which affects both search and write operations)

Database transactions

Database and entry cache settings

Database links

Other changes can be made to the host machine's settings or hardware which can also affect DirectoryServer performance:

1. Intro to Directory Server Performance Tuning

3

Available memory (based on directory size)

Other servers running on the same machine (which could compete for resources)

Distributing user databases across other Directory Server instances on other machines

Balancing server loads due to network performance

This changes relate much more to planning an effective Directory Server deployment than changes thatcan be made to an instance. Reviewing the Deployment Guide can provide more detail about how to planan optimal enterprise deployment.

1.2. Giving FeedbackIf there is any error in this Performance and Tuning Guide or there is any way to improve thedocumentation, please let us know. Bugs can be filed against the documentation for Red Hat DirectoryServer through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible,so we can be more effective in correcting any issues:

1. Select the Red Hat Directory Server product.

2. Set the component to Doc - performance-and-tuning.

3. Set the version number to 8.2.

4. For errors, give the page number (for the PDF) or URL (for the HTML), and give a succinctdescription of the problem, such as incorrect procedure or typo.

For enhancements, put in what information needs to be added and why.

5. Give a clear title for the bug. For example, "Incorrect command example for setup script options" is better than "Bad example".

We appreciate receiving any feedback — requests for new sections, corrections, improvements,enhancements, even new ways of delivering the documentation or new styles of docs. You are welcometo contact Red Hat Content Services directly at [email protected].

2. Tracking Server and Database PerformanceRed Hat Directory Server has two methods of recording and tracking performance data: performancecounters and logs. Counters are used to determine how well the Directory Server performing, particularlyin database performance; logs are used to diagnose any problem areas with server and LDAPoperations and configuration.

Performance counters focus on the operations and information of the Directory Server for the server, allconfigured databases, and database links (chaining databases).

There are three types of logs: access (for client connections), errors (for errors, warnings, and details ofevents), and audit (changes to Directory Server configuration). The access and error logs run by default(and the errors log is required for the server to run). Audit logging, because of the overhead, must beenabled manually.

NOTE

The access log is buffered. This allows full access logging even with highly loaded servers, butthere is a time lag between when the event occurs in the server and when the event is written tothe log.


4

http://bugzilla.redhat.com/bugzilla

mailto:[email protected]

2.1. Monitoring Server ActivityThe Directory Server's current activities can be monitored from either the Directory Server Console orthe command line. It is also possible to monitor the activity of the caches for all of the database.

NOTE

Some of the counters for Directory Server database attributes monitored by server use 64-bitintegers, even on 32-bit systems (total connections, operations initiated, operations completed,entries sent, and bytes sent). On high-volume systems, this keeps the counters from rolling tooquickly and skewing monitoring data.

2.1.1. Monitoring the Server from the Directory Server Console

1. In the Directory Server Console, select the Status tab.

2. In the navigation tree, select Performance Counters.

The Status tab in the right pane displays current information about server activity. If the server iscurrently not running, this tab will not provide performance monitoring information.

The General Information table shows basic information about the server, which helps set abaseline about the statistics that have been gathered.

Table 1. General Information (Server)

Field Description

Server Version Identifies the current server version.

Startup T ime on Server The date and time the server was started.

Current T ime on Server The current date and time on the server.

The Resource Summary table shows the totals of all operations performed by that instance.

2. Tracking Server and Database Performance

5

Table 2. Resource Summary

Resource Usage Since Startup Average Per Minute

Connections The total number of connectionsto this server since serverstartup.

Average number of connectionsper minute since server startup.

Operations Initiated The total number of operationsinitiated since server startup.Operations include any clientrequests for server action,suchas searches, adds, andmodifies. Often, multipleoperations are initiated for eachconnection.

Average number of operationsper minute since server startup.

Operations Completed The total number of operationscompleted by the server sinceserver startup.

Average number of operationsper minute since server startup.

Entries Sent to Clients The total number of entries sentto clients since server startup.Entries are sent to clients as theresult of search requests.

Average number of entries sentto clients per minute sinceserver startup.

Bytes Sent to Clients The total number of bytes sentto clients since server startup.

Average number of bytes sentto clients per minute sinceserver startup.

The Current Resource Usage table shows the current demands on the server.


6

Table 3. Current Resource Usage

Resource Current Total

Active Threads The current number of active threads used forhandling requests. Additional threads may becreated by internal server tasks, such asreplication or chaining.

Open Connections The total number of open connections. Eachconnection can account for multiple operations,and therefore multiple threads.

Remaining Available Connections The total number of remaining connections thatthe server can concurrently open. This number isbased on the number of currently openconnections and the total number of concurrentconnections that the server is allowed to open. Inmost cases, the latter value is determined by theoperating system and is expressed as thenumber of file descriptors available to a task.

Threads Waiting to Write to Client The total number of threads waiting to write to theclient. Threads may not be immediately writtenwhen the server must pause while sending datato a client. Reasons for a pause include a slownetwork, a slow client, or an extremely largeamount of information being sent to the client.

Threads Waiting to Read from Client The total number of threads waiting to read fromthe client. Threads may not be immediately read ifthe server starts to receive a request from theclient, and then the transmission of that requestis halted for some reason. Generally, threadswaiting to read are an indication of a slow networkor client.

Databases in Use The total number of databases being serviced bythe server.

The Connection Status table simply lists the current active connections, with related connectioninformation.


7

Table 4 . Connection Status

Table Header Description

Time Opened The time on the server when the connection wasinitially opened.

Started The number of operations initiated by thisconnection.

Completed The number of operations completed by theserver for this connection.

Bound as The distinguished name used by the client to bindto the server. If the client has not authenticated tothe server, the server displays not bound inthis field.

Read/Write Indicates whether the server is currently blockedfor read or write access to the client. There aretwo possible values:

Not blocked means that the server is idle,activelysending data to the client, or actively reading datafrom the client.

Blocked means that the server is trying to senddata to the client or read data from the client butcannot. The probable cause is a slow network orclient.

The Global Database Cache table lists the cache information for all databases within the DirectoryServer instance.

NOTE

Although the performance counter for the global database cache is listed with the other serverperformance counters in the Directory Server Console, the actual database cache entries arelocated and monitored in cn=monitor,cn=database_instance, cn=ldbm database, cn=plugins, cn=config, as are the other database activities.


8

Table 5. Global Database Cache Information

Table Header Description

Hits The number of times the server could process arequest by obtaining data from the cache ratherthan by going to the disk.

Tries The total number of database accesses sinceserver startup.

Hit Ratio The ratio of cache tries to successful cache hits.The closer this number is to 100%, the better.

Pages Read In The number of pages read from disk into thecache.

Pages Written Out The number of pages written from the cache backto disk.

Read-Only Page Evicts The number of read-only pages discarded fromthe cache to make room for new pages. Pagesdiscarded from the cache have to be written todisk, possibly affecting server performance. Thelower the number of page evicts the better.

Read-Write Page Evicts The number of read-write pages discarded fromthe cache to make room for new pages. Thisvalue differs from Pages Written Out in thatthese are discarded read-write pages that havenot been modified. Pages discarded from thecache have to be written to disk, possiblyaffecting server performance. The lower thenumber of page evicts, the better.

2.1.2. Monitoring the Directory Server from the Command Line

The Directory Server's current activities can be monitored using LDAP tools such as ldapsearch ,with the following characteristics:

Search with the attribute filter objectClass=* .

Use the search base cn=monitor; the monitoring attributes for the server are found in the cn=monitor entry.

Use the search scope base.

For example:

/usr/lib64/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389 -h server.example.com -s base -b "cn=monitor" "(objectclass=*)"

The monitoring attributes for the Directory Server are found in the cn=monitor entry.

Monitoring the server's activities using ldapsearch shows the following information:

[1]


9

Table 6. Server Monitoring Attributes

Attribute Description

version Identifies the directory's current version number.

threads The current number of active threads used forhandling requests. Additional threads may becreated by internal server tasks, such asreplication or chaining.

connection:fd:opentime:opsinitiated:opscompleted:binddn:[rw]

Provides the following summary information foreach open connection (only available if you bindto the directory as Directory Manager):

fd — The file descriptor used for this connection.

opentime — The time this connection wasopened.

opsinitiated — The number of operations initiatedby this connection.

opscompleted — The number of operationscompleted.

binddn — The distinguished name used by thisconnection to connect to the directory.

rw — The field shown if the connection is blockedfor read or write.

By default, this information is available toDirectory Manager. However, the ACI associatedwith this information can be edited to allow othersto access the information.

currentconnections Identifies the number of connections currently inservice by the directory.

totalconnections Identifies the number of connections handled bythe directory since it started.

dtablesize Shows the number of file descriptors available tothe directory. Each connection requires one filedescriptor: one for every open index, one for logfile management, and one for ns-slapd itself.Essentially, this value shows how many additionalconcurrent connections can be serviced by thedirectory. For more information on file descriptors,refer to the operating system documentation.

readwaiters Identifies the number of threads waiting to readdata from a client.

opsinitiated Identifies the number of operations the serverhas initiated since it started.

opscompleted Identifies the number of operations the serverhas completed since it started.

entriessent Identifies the number of entries sent to clients


10

entriessent Identifies the number of entries sent to clientssince the server started.

bytessent Identifies the number of bytes sent to clientssince the server started.

currenttime Identifies the time when this snapshot of theserver was taken. The time is displayed inGreenwich Mean Time (GMT) in UTC format.

starttime Identifies the time when the server started. Thetime is displayed in Greenwich Mean Time (GMT)in UTC format.

nbackends Identifies the number of back ends (databases)the server services.

backendmonitordn Identifies the DN of each directory database.

2.2. Monitoring Database Activity

NOTE

Some of the counters for Directory Server database attributes monitored by server use 64-bitintegers, even on 32-bit systems (entry cache hits, entry cache tries, the current cache size, andthe maximum cache size). On high-volume systems, this keeps the counters from rolling tooquickly and skewing monitoring data.


2. In the navigation tree, expand the Performance Counters folder, and select the database tomonitor.

The tab displays current information about database activity. If the server is currently not running,this tab will not provide performance monitoring information.


11

The Summary Information section shows the cumulative information for all of the databases beingmonitored and some cache-related configuration settings which are applied to all databases.


12

Table 7. Summary Information

Performance Metric Current Total

Read-Only Status Shows whether the database is currently in read-only mode. The database is in read-only modewhen the nsslapd-readonly attribute is set to on.

Entry Cache Hits The total number of successful entry cachelookups. That is, the total number of times theserver could process a search request byobtaining data from the cache rather than bygoing to disk.

Entry Cache Tries The total number of entry cache lookups sincethe directory was last started. That is, the totalnumber of entries requested since server startup.

Entry Cache Hit Ratio Ratio that indicates the number of entry cachetries to successful entry cache lookups. Thisnumber is based on the total lookups and hitssince the directory was last started. The closerthis value is to 100%, the better. Whenever anoperation attempts to find an entry that is notpresent in the entry cache, the directory has toperform a disk access to obtain the entry. Thus,as this ratio drops towards zero, the number ofdisk accesses increases, and directory searchperformance drops.

To improve this ratio, increase the size of theentry cache by increasing the value of the nsslapd-cachememsize attribute in the cn=database_name, cn=ldbm database,cn=plugins,cn=config entry forthe database. In the Directory Server Console,this is set in the Memory available forcache field in the database settings.

Current Entry Cache Size (in Bytes) The total size of directory entries currentlypresent in the entry cache.

Maximum Entry Cache Size (in Bytes) The size of the entry cache maintained by thedirectory.

This value is managed by the nsslapd-cachememsize attribute in the cn=database_name, cn=ldbm database,cn=plugins,cn=config entry forthe database. This is set in the Memoryavailable for cache field in the databasesettings in the Directory Server Console.

Current Entry Cache Size (in Entries) The number of directory entries currently presentin the entry cache.

Maximum Entry Cache Size (in Entries) DEPRECATED.


13

The maximum number of directory entries thatcan be maintained in the entry cache.

Do not attempt to manage the cache size bysetting a maximum number of allowed entries.This can make it difficult for the host to allocateRAM effectively. Manage the cache size bysetting the amount of RAM available to the cache,using the nsslapd-cachememsize attribute.

There are many different databases listed for the database monitoring page, by default, becausedatabases are maintained for both entries and indexed attributes. All databases, though, have the samekind of cache information monitored in the counters.


14

Table 8. Database Cache Information


Hits The number of times the database cachesuccessfully supplied a requested page.

Tries The number of times the database cache wasasked for a page.

Hit Ratio The ratio of database cache hits to databasecache tries. The closer this value is to 100%, thebetter. Whenever a directory operation attemptsto find a portion of the database that is notpresent in the database cache, the directory hasto perform a disk access to obtain the appropriatedatabase page. Thus, as this ratio drops towardszero, the number of disk accesses increases,and directory performance drops.

To improve this ratio, increase the amount of datathat the directory maintains in the database cacheby increasing the value of the nsslapd-dbcachesize attribute. This is the MaximumCache Size database setting in the DirectoryServer Console.

Pages Read In The number of pages read from disk into thedatabase cache.

Pages Written Out The number of pages written from the cache backto disk. A database page is written to diskwhenever a read-write page has been modifiedand then subsequently deleted from the cache.Pages are deleted from the database cache whenthe cache is full and a directory operationrequires a database page that is not currentlystored in cache.

Read-Only Page Evicts The number of read-only pages discarded fromthe cache to make room for new pages.

Read-Write Page Evicts The number of read-write pages discarded fromthe cache to make room for new pages. Thisvalue differs from Pages Written Out in thatthese are discarded read-write pages that havenot been modified.


15

Table 9. Database File-Specific


Cache Hits The number of times that a search result resultedin a cache hit on this specific file. That is, a clientperforms a search that requires data from thisfile, and the directory obtains the required datafrom the cache.

Cache Misses The number of times that a search result failed tohit the cache on this specific file. That is, a searchthat required data from this file was performed,and the required data could not be found in thecache.

Pages Read In The number of pages brought to the cache fromthis file.

Pages Written Out The number of pages for this file written fromcache to disk.

2.3. Monitoring Database Link ActivityThe activity for database links (chained databases) can also be viewed, but only through the commandline using ldapsearch to return the monitoring attributes that are required. The monitoring attributesare stored in the cn=monitor,cn=database_link_name,cn=chaining database,cn=plugins,cn=config.

For example:

/usr/lib64/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389 -h server.example.com -s sub -b "cn=monitor,cn=DBLink1,cn=chaining database,cn=plugins,cn=config" "(objectclass=*)" nsAddCount


16

Table 10. Database Link Monitoring Attributes

Attribute Name Description

nsAddCount The number of add operations received.

nsDeleteCount The number of delete operations received.

nsModifyCount The number of modify operations received.

nsRenameCount The number of rename operations received.

nsSearchBaseCount The number of base-level searches received.

nsSearchOneLevelCount The number of one-level searches received.

nsSearchSubtreeCount The number of subtree searches received.

nsAbandonCount The number of abandon operations received.

nsBindCount The number of bind request received.

nsUnbindCount The number of unbinds received.

nsCompareCount The number of compare operations received.

nsOperationConnectionCount The number of open connections for normaloperations.

nsBindConnectionCount The number of open connections for bindoperations.

For more information about ldapsearch, see the Directory Server Configuration, Command, and FileReference.

2.4. Viewing Log Files

NOTE

The access and error logs are enabled by default and can be viewed immediately. before theaudit log can be viewed, audit logging must be enabled for the directory, or the audit log will not bekept.


2. In the navigation tree, expand the Log folder. There are three folders available, for the access,error, and audit logs.

3. When you select the log type to view, a table displays a list of the last 25 entries in the selectedlog.

4. Optionally, change the settings of the log display and click Refresh to update the display.


17

The Select Log pull-down menu allows you to select an archived (rotated) log rather thanthe currently active log.

The Lines to show text box changes the number of log entries to display in the window.

The Show only lines containing text box sets a filter, including regular expressions, touse to display only certain matching log entries.

NOTE

Selecting the Continuous checkbox refreshes the log display automatically every ten seconds.=Continuous log refresh does not work well with log files over 10 megabytes.

2.5. Replacing Log Files with a Named PipeMany administrators want to do some special configuration or operation with logging data, likeconfiguring an access log to record only certain events. This is not possible using the standardDirectory Server log file configuration attributes, but it is possible by sending the log data to a namedpipe, and then using another script or plug-in to process the data. Using a named pipe for the logsimplifies these special tasks, like:

Logging certain events, like failed bind attempts or connections from specific users or IP addresses

Logging entries which match a specific regular expression pattern

Keeping the log to a certain length (logging only the last number of lines)

Sending a notification, such as an email, when an event occurs

The basic format of the script is is:

ds-logpipe.py named_pipe [ --user pipe_user ] [ --maxlines number ] [[ --serverpidfile file.pid ] |[ --serverpid PID ]] [ --servertimeout seconds ] [ --plugin=/path/to/plugin.py | [pluginfile.arg=value ]]

More detailed usage information is in the Configuration, Command, and File Reference.

However, while that has the advantage of being simple to implement and not requiring any DirectoryServer configuration changes, simply running the script has a big disadvantage: all of the log viewers in


18

the Directory Server Console and any script or tool (such as logconv.pl) that expect to access a realfile will fail.

If the Directory Server instance will permanently use the named pipe rather than a real file for logging,then it is possible to reconfigure the instance to create the named pipe and use it for logging (as it doesby default for the log files). When the Directory Server instance is configured to use the named pipe thenall of the log analysis tools — the Directory Server Console and any Directory Server scripts — workfine.

Three things need to be configured for the log configuration for the instance:

The log file to use has to be changed to the pipe (nsslapd-*log)

Buffering should be disabled because the script already buffers the log entries (nsslapd-*log-logbuffering)

Log rotation should be disabled so that the server does not attempt to rotate the named pipe(nsslapd-*log-maxlogsperdir, nsslapd-*log-logexpirationtime, and nsslapd-*log-logrotationtime)

These configuration changes can be made in the Directory Server Console or using ldapmodify.

For example, this switches the access log to access.pipe:

/usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=configchangetype: modifyreplace: nsslapd-accesslognsslapd-accesslog: /var/log/dirsrv/slapd-instance_name/access.pipe-replace: nsslapd-accesslog-logbufferingnsslapd-accesslog-logbuffering: off-replace: nsslapd-accesslog-maxlogsperdirnsslapd-accesslog-maxlogsperdir: 1- replace: nsslapd-accesslog-logexpirationtimensslapd-accesslog-logexpirationtime: -1- replace: nsslapd-accesslog-logrotationtimensslapd-accesslog-logexpirationtime: -1

TIP

Making these changes using the -f option will cause the server to close the current log file andswitch to the named pipe immediately. This can be very helpful for debugging a running serverand sifting the log ouput for specific messages.

2.6. Improving Logging PerformanceLarger server deployments can generate several dozen of megabytes of logs per hour. Depending onthe resources available on the server host machine, reconfiguring or disabling access logging canimprove system and Directory Server performance.


19

Before disabling access logging, first configure access log buffering. Buffering writes all log entriesdirectly to the disk, so that the Directory Server performance does not degrade even under a heavy load.

The access log is buffered by default, but make sure the log is using buffering for best performance.

/usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389

dn: cn=configchangetype: modifyreplace: nsslapd-accesslog-logbufferingnsslapd-accesslog-logbuffering: on

If that doesn't improve performance, then disable access logging entirely.


dn: cn=configchangetype: modifyreplace: nsslapd-accesslog-enablednsslapd-accesslog-enabled: off

WARNING

Access logging is extremely helpful for debugging issues in the server and monitoring clientconnections and failed connection attempts. Don't disable access logging as the normal operatingenvironment.For alternatives, see Section 2.5, “Replacing Log Files with a Named Pipe”, since using namedpipe log scripts can improve performance while still logging information on high performanceproduction servers.

3. Optimizing System PerformanceThere are a limited number of areas where settings on the machine on which the Directory Serverinstance is running can be changed to improve Directory Server performance. Basically, the machine canbe configured to grant the Directory Server more system resources (TCP ports and file descriptors)which helps it handle higher loads with better performance. The host machine can also be configured toallow better client access to the server (firewalls and DNS), which doesn't have a direct impact onDirectory Server performance, but does affect using the server.

TIP

The Red Hat Enterprise Linux documentation includes a whitepaper on tuning the Red HatEnterprise Linux system settings to improve Oracle database performance and is available athttp://www.redhat.com/docs/manuals/enterprise/RHELTuningandOptimizationforOracleV11.pdf.Similar adjustments can be made to any Red Hat Enterprise Linux system hosting a Red HatDirectory Server instance, and that performance tuning whitepaper is a good resource to helpwith Directory Server system tuning.


20

http://www.redhat.com/docs/manuals/enterprise/RHELTuningandOptimizationforOracleV11.pdf

3.1. Tuning and Sizing System MemoryThere are several different areas of the Red Hat Enterprise Linux machine that can be modified toimprove the performance of the Directory Server itself.

NOTE

The cache settings here relate to the cache allowed to the Directory Server process, not to anycache settings in the Directory Server databases.

3.1.1. Sett ing the Minimum System Page CacheAlthough Red Hat Enterprise Linux sets the page cache size dynamically, it is possible to require aminimum number of free pages by setting the vm.min_free_kbytes parameter in the systemconfiguration. For example:

# echo vm.min_free_kbytes=1024 >> /etc/sysctl.conf

3.1.2. Managing the Swap SpaceLong-running processes (and Directory Server is normally a long-running process) don't use all of thepages that they obtain. Creating a swap space to partition the processes can improve the system'sperformance because the system memory is used for disk cache rather than page cache.

The /proc/sys/vm/swappiness kernel parameter sets a threshold for when processes should beswapped out in favor of I/O caching. The value of this is a percentage; the higher the percentage, thehigher the I/O cache and the faster that pages are swapped. The default value is 60. This can bechanged by editing the system configuration as root:

# echo vm.swappiness=10 >> /etc/sysctl.conf

Constant swapping must be avoided. If swap usage is high or increasing, then increase the RAM(ideally) or the swap size.

3.1.3. Tuning for 32-Bit SystemsIdeally, Red Hat Directory Server will be run on 64-bit systems which naturally have the address spaceto handle very large databases and operations. Still, 32-bit systems can be optimized to the bestpossible performance.

First, use the hugemem kernel for databases that are 8GB or larger. This is the default kernel, anyway,in Red Hat Enterprise Linux 5.

Next, configure huge pages on the system by setting how many large memory pages should beallocated and kept in RAM for shared memory:

1. Check the amount of memory available for huge pages.

grep Hugepagesize /proc/meminfoHugepagesize: 4096 kB

This means that each huge page is 4GB.

2. Set the number of huge pages that can be used through the nr_hugepages kernel parameter.

3. Optimizing System Performance

21

# echo "vm.nr_hugepages=512" >> /etc/sysctl.conf

3. Check the new huge page settings.

The defined value for huge pages is viewable in Hugepagesize, while the total number of hugepages (set in nr_hugepages) is shown in HugePages_Total, both in the /proc/meminfo:

HugePages_Total: 512HugePages_Free: 512HugePages_Rsvd: 0Hugepagesize: 4096 kB

4. For the Directory Server databases to be able to use huge pages, add or set the memlockparameter for the Directory Server user (nobody by default) to a high enough seting to allow themto lock that much memory.

vim /etc/security/limits.conf

nobody soft memlock 1048576nobody hard memlock 1048576

3.2. Using dsktune for Preliminary TuningWhen a Directory Server instance is first set up, the setup command automatically runs a tool called dsktune which checks the current machine settings and compares them to the requirements forDirectory Server.

This tool can be run again at any point to check whether any system settings should be adjusted.

[jsmith@example ~]$ dsktuneRed Hat Directory Server system tuning analysis version 10-AUGUST-2007.

NOTICE : System is i686-unknown-linux2.6.18-164.2.1.el5 (2 processors).

NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds(120 minutes). This may cause temporary server congestion from lostclient connections.

WARNING: There are only 1024 file descriptors (hard limit) available, whichlimit the number of simultaneous connections.

WARNING: There are only 1024 file descriptors (soft limit) available, whichlimit the number of simultaneous connections.

3.3. Tuning File DescriptorsThe Directory Server is multi-threaded and efficiently handles many simultaneous requests and largenumbers of connections.

Most of the time, the only limit on Directory Server threads is whatever limit the operating systemimposes on the number of file descriptors available in the whole system and per process. The DirectoryServer uses file descriptors in a range of directory operations — logging, chaining, replication, clientconnections, and indexes. Adjusting the number of file descriptors for the Directory Server, then, canimprove how well it handles large loads for a variety of operations.


22

3.3.1. Resetting the Host Machine's File Descriptors

1. First, check the current system limit for file descriptors:

cat /proc/sys/fs/file-max

2. If the setting is lower than 64000, edit the /etc/sysctl.conf file, and reset the fs.file-maxparameter:

fs.file-max = 64000

3. Then increase the maximum number of open files on the system by editing the /etc/security/limits.conf configuration file. Add the following entry:

* - nofile 8192

4. Edit the /etc/pam.d/system-auth, and add this entry:

session required /lib/security/$ISA/pam_limits.so

5. Reboot the machine to apply the changes.

Additionally, the Directory Server keeps some file descriptors in reserve and is used by process like fileI/O (e.g. log files) and outgoing network connections. The number of simultaneous connections theserver can handle is set by the maximum number of server descriptors minus the assigned number ofreserve descriptors. The file descriptors parameters can be reset in the Directory Server configurationto take advantage of the higher system settings.

3.3.2. Sett ing Directory Server File Descriptor ValuesFor performance, the most relevant attribute is the nsslapd-maxdescriptor attribute. This tells theDirectory Server how many file descriptors it has available. (This value cannot be larger than the systemsetting, or the server ignores it.)

Reserve file descriptors rarely need to be reset. Decreasing the number of reserve file descriptors canincrease the number of LDAP clients that can connect to the server. However, too few reserve filedescriptors can still hirt directory performance by causing server errors. There are three instances thatcan require raising the numbr of reserve file descriptors:

The server is replicating to a large number of consumer servers (more than 10), and/or the server ismaintaining a large number of index files (more than 30).

The server is servicing a large number of LDAP connections.

There are error messages reporting that the server is unable to open file descriptors (the actualerror message differs depending on the operation that the server is attempting to perform), but theseerror messages are not related to managing client LDAP connections.

To calculate the number of reserved file descriptors to set, use the following formula:

nsslapd-reservedescriptor = 20 + (NldbmBackends * 4) + NglobalIndex +ReplicationDescriptor + ChainingBackendDescriptors + PTADescriptors + SSLDescriptors

NldbmBackends is the number of ldbm databases.


23

NglobalIndex is the total number of configured indexes for all databases including system indexes.(By default 8 system indexes and 17 additional indexes per database).

ReplicationDescriptor is eight (8) plus the number of replicas in the server that can act as a supplieror hub (NSupplierReplica).

ChainingBackendDescriptors is NchainingBackend times the nsOperationConnectionsLimit (achaining or database link configuration attribute; 10 by default).

PTADescriptors is 3 if PTA is configured and 0 if PTA is not configured.

SSLDescriptors is 5 (4 files + 1 listensocket) if SSL is configured and 0 if SSL is not configured.

To reset the file descriptors for Directory Server:

1. Edit the /etc/sysconfig/dirsrv file and add a new line setting the process ulimit.

ulimit -n 8192

2. Update the nsslapd-maxdescriptors and nsslapd-reservedescriptors values.

/usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=configchangetype: modifyreplace: nsslapd-maxdescriptorsnsslapd-maxdescriptors: 8192-replace: nsslapd-reservedescriptorsnsslapd-reservedescriptors: 40-

3. Restart the Directory Server.

service dirsrv restart

3.4. Setting Shell Limits for the Directory Server UserThe Directory Server process runs as a regular user on the host system. (By default, that user is nobody.) Once system settings have been changed, then the limits for that user can be updated.

TIP

The Red Hat Enterprise Linux documentation includes a whitepaper on tuning the Red HatEnterprise Linux system settings to improve Oracle database performance and is available athttp://www.redhat.com/docs/manuals/enterprise/RHELTuningandOptimizationforOracleV11.pdf.Similar adjustments can be made to any Red Hat Enterprise Linux system hosting a Red HatDirectory Server instance, and that performance tuning whitepaper is a good resource to helpwith Directory Server system tuning.

3.4 .1. Sett ing Shell Limits for File Descriptors

1. As root, open the system's /etc/security/limits.conf file.

2. Add two lines that set the hard and soft limits for the file descriptors (nofile) for the Directory


24

http://www.redhat.com/docs/manuals/enterprise/RHELTuningandOptimizationforOracleV11.pdf

Server user. The soft limit sets how many file descriptors the user has available by default; theuser can manually adjust that setting until they hit the hard limit.

nobody soft nofile 4096nobody hard nofile 63536

IMPORTANT

Do not set the hard limit for the Directory Server user equal to (or higher than) themaximum number of file descriptors assigned to the system itself in /proc/sys/fs/file-max. If the hard limit is too high and the user users all of those filedescriptors, then the entire system runs out of file descriptors.

3.4 .2. Sett ing Shell Limits for the Max Number of Processes

1. As root, open the system's /etc/security/limits.conf file.

2. Add two lines that set the hard and soft limits for the number of processes (nproc) for theDirectory Server user. The soft limit sets how many processes the user has available by default;the user can manually adjust that setting until they hit the hard limit.

nobody soft nproc 2047nobody hard nproc 16384

IMPORTANT

Do not set the hard limit for the Directory Server user equal to (or higher than) themaximum number of file descriptors assigned to the system itself in /proc/sys/fs/file-max. If the hard limit is too high and the user users all of those filedescriptors, then the entire system runs out of file descriptors.

3.5. Tuning TCP PortsIf there is high traffic on a server — like the same machine is running both a web server and a DirectoryServer or there are a lot of clients who access the Directory Server directly — then it may be necessaryto broaden the range of TCP ports available on the machine.

echo "1024 65000" > /proc/sys/net/ipv4/ip_local_port_range

3.6. Changing Firewall Settings for the Directory Server ConsoleWhen remote clients are access the Directory Server instance, particularly the Directory Server Consoleor applications like Red Hat Certificate System, then make sure that the iptables configuration allowsthose connections past the firewall.

For example, if the instance is using the default ports and TLS/SSL is configured, then there are threeports that need to be opened in iptables.

1. Open the iptables file.


25

# vi /etc/sysconfig/iptables

2. Add a line to the configuration for each port that is in use for the Directory Server:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9830 -j ACCEPT

NOTE

Only add the TLS/SSL port (636) if TLS/SSL is actually enabled for the server.

3. Restart the firewall:

# service iptables restart

3.7. DNS RequirementsIt is very important that DNS and reverse DNS be working correctly on the host machine, especially if youare using TLS/SSL or Kerberos with Directory Server.

Configure the DNS resolver and the NIS domain name by the modifying the /etc/resolv.conf, /etc/nsswitch.conf, and /etc/netconfig files, and set the DNS resolver for name resolution.

Edit the /etc/defaultdomain file to include the NIS domain name. This ensures that the fully-qualified host and domain names used for the Directory Server resolve to a valid IP address and thatthat IP address resolves back to the correct hostname.

Reboot the machine to apply these changes.

4. Improving Search Performance (and Balancing ReadPerformance)The most effective way to improve search operations against the directory is to configure thoroughindexes for entries, combined with reasonable limits on search results.

4.1. Using IndexesAn index (as it implies) is a tag that shows that a certain entry contains a certain attribute, without havingto contain any other detail about the entry (which saves space and makes returning search resultsfaster). Each index is organized around a Directory Server attribute and a certain way of matching thatattribute:

Presence index (pres) simply shows what entries contain an attribute.

Equality index (eq) shows which attribute values match a specific search string.

Approximate index (approx) is used for efficient sounds-like searches, which shows entries whichhave a value that phonetically matches a string.

Substring index (sub) matches any substring of an attribute value to the given search string. (This


26

index if very expensive for the server to maintain.)

International index uses a matching rule to match strings in a directory which contains values inlanguages other than English.

Browsing index, or virtual list view (VLV) index, sets an index to use to display entries in the DirectoryServer Console.

NOTE

Indexing is described in much more detail in the Administrator's Guide.

However, just creating indexes is not ipso facto going to increase server performance. Maintainingindexes puts a burden on the Directory Server for every modify, add, and delete operation by having toverify every attribute in the change against every index maintained by the server:

1. The Directory Server receives an add or modify operation.

2. The Directory Server examines the indexing attributes to determine whether an index ismaintained for the attribute values.

3. If the created attribute values are indexed, then the Directory Server generates the new indexentries.

4. Once the server completes the indexing, the actual attribute values are created according to theclient request.

For example, the Directory Server adds the entry:

dn: cn=John Doe, ou=People,dc=example,dc=comobjectclass: topobjectClass: personobjectClass: orgpersonobjectClass: inetorgpersoncn: John Doecn: Johnsn: Doeou: Manufacturingou: peopletelephoneNumber: 408 555 8834description: Manufacturing lead for the Z238 line of widgets.

The Directory Server is maintaining the following indexes:

Equality, approximate, and substring indexes for cn (common name) and sn (surname) attributes.

Equality and substring indexes for the telephone number attribute.

Substring indexes for the description attribute.

When adding that entry to the directory, the Directory Server must perform these steps:

1. Create the cn equality index entry for John and John Doe.

2. Create the appropriate cn approximate index entries for John and John Doe.

3. Create the appropriate cn substring index entries for John and John Doe.

4. Create the sn equality index entry for Doe.

5. Create the appropriate sn approximate index entry for Doe.

4. Improving Search Performance (and Balancing Read Performance)

27

6. Create the appropriate sn substring index entries for Doe.

7. Create the telephone number equality index entry for 408 555 8834 .

8. Create the appropriate telephone number substring index entries for 408 555 8834 .

9. Create the appropriate description substring index entries for Manufacturing lead for the Z238 line of widgets. A large number of substring entries are generated for this string.

Before creating new indexes, make sure to balance the overhead of maintaining the indexes against thepotential improvements in search performance. Especially important, match the types of indexes that youmaintain to the type of information stored in the directory and the type of information users routinelysearch for.

Approximate indexes are not efficient for attributes commonly containing numbers, such as telephonenumbers.

Substring indexes do not work for binary attributes.

Equality indexes should be avoided if the value is big (such as attributes intended to containphotographs or passwords containing encrypted data).

Maintaining indexes for attributes not commonly used in a search increases overhead withoutimproving global searching performance.

Attributes that are not indexed can still be specified in search requests, although the searchperformance may be degraded significantly, depending on the type of search.

The more indexes you maintain, the more disk space you require.

TIP

Creating indexes is much more effective for directories which have a high search operation loadand low modify operation load.

4.2. Tuning Directory Server Resource SettingsThe server's performance can be managed and improved by limiting the amount of resources the serveruses to process client search requests, which is done by defining four settings:

The maximum number of entries the server returns to the client in response to a search operation(size limit attribute).

The maximum amount of real time (in seconds) for the server to spend performing a search request(time limit attribute).

The time (in seconds) during which the server maintains an idle connection before terminating it (idletimeout attribute).

The maximum number of file descriptors available to the Directory Server (max number of filedescriptors attribute).

To configure Directory Server to optimize performance:

1. In the Directory Server Console, select the Configuration tab, and then select the topmostentry in the navigation tree in the left pane.

2. Select the Performance tab in the right pane.


28

3. Set the maximum number of entries the server will return to the client in response to a searchoperation by entering a new value in the Size Limit text box.

To keep from setting a limit, type -1 in this text box.

4. Enter the maximum amount of real time (in seconds) for the server to spend performing a searchrequest in the Time Limit text box.

To keep from setting a limit, type -1 in this text box.

5. Enter the time (in seconds) for the server to maintain an idle connection before terminating it in theIdle Timeout text box.

To keep from setting a limit, type zero (0) in this text box.

6. Set the maximum number of file descriptors available to the Directory Server in the Max Numberof File Descriptors text box. For more information on this parameter, see the DirectoryServer Configuration, Command, and File Reference.

4.3. Setting Index Scan LimitsIn large directories, the search results list can get huge. A directory with a million inetorgpersonentries would have a million entries that were returned with a filter like (objectclass=inetorgperson), and an index for the sn attribute would have at least a millionentries in it.

Loading a long ID list from the database significantly reduces search performance. The configurationparameter, nsslapd-idlistscanlimit, sets a limit on the number of IDs that are read before a keyis considered to match the entire primary index (meaning the search is treated as an unidexed searchwith a different set of resource limits).

For large indexes, it is actually more efficient to treat any search which matches the index as anunindexed search. The search operation only has to look in one place to process results (the entiredirectory) rather than searching through an index that is nearly the size of a directory, plus the directoryitself.

The default value of the nsslapd-idlistscanlimit attribute is 4000, which is gives goodperformance for a common range of database sizes and access patterns. It's usually not necessary tochange this value. If the database index is slightly larger than the 4000 entries, but still significantlysmaller than the overall directory, then raising the scan limit improves searches which would otherwisehit the default limit of 4000.

On the other hand, lowering the limit can significantly speed up searches that would otherwise hit the4000 entry limit, but where it's not necessary to scan every entry.

4.4. Tuning the Database Cache for Searches

4. Improving Search Performance (and Balancing Read Performance)

29

The database attributes that affect search performance mainly define the amount of memory available tothe server. The maximum values that can be set for the database's cache size attributes depends onthe amount of real memory on the machine. Roughly, the amount of available memory on the machineshould always be greater than sum total of the default database cache size and sum of each entrycache size.

Use caution when changing these cache sizing attributes. The ability to improve server performancewith these attributes depends on the size of the database, the amount of physical memory available onthe machine, and whether directory searches are random (that is, if the directory clients are searchingfor random and widely scattered directory data).

If the database does not fit into memory and if searches are random, attempting to increase the valuesset on these attributes does not help directory performance. In fact, changing these attributes may harmoverall performance.

The attributes of each database used to store directory data, including the server configuration data inthe NetscapeRoot database, can be resized.

To improve the cache hit ratio on search operations, increase the amount of data that the DirectoryServer maintains in the database cache, as described in Section 6.2, “Tuning Database Cache”, byediting the values for the nsslapd-dbcachesize attribute.

4.5. Tuning the Database Settings for SearchesThe Directory Server Console only shows the databases that contain the directory data and the NetscapeRoot database. However, the server uses another database to manage these. On thisdatabase, the following attributes can be changed to improve performance:

The amount of memory to make available for all databases (maximum cache size), which isdescribed in Section 6.1, “Tuning Entry Cache”.

The maximum number of entries for the server to verify in response to a search request (look-through limit).

The amount of memory to make available for import (import cache size).

To configure the default database attributes that apply to all other database instances:

1. In the Directory Server Console, select the Configuration tab; then, in the navigation tree,expand the Data icon, and highlight the Database Settings node.

2. Select the LDBM Plug-in Settings tab in the right pane.

This tab contains the database attributes for all databases stored on this server.

3. In the Maximum Cache Size field, enter a value corresponding to the amount of memory to


30

make available for all databases. This value is for the total of the entire backend, meaning alldatabases cumulatively rather than the amount per single database instance.

4. In the Look-Through Limit field, enter the maximum number of entries for the server to checkin response to a search request.

5. There are two ways to set the amount of memory in bytes to make available for import. The defaultis to have auto cache sizing, meaning 50% of the free memory is allocated for the import cache. Itis also possible to set the import cache size manually by deselecting the Use Cache Auto-Size checkbox and then setting the value in the Import Cache Size field. For creating a verylarge database from LDIF, set this attribute as large as possible, depending on the memoryavailable on the machine. The larger this parameter, the faster the database is created.

WARNING

Setting this value too high can cause import failures because of a lack of memory.

4.6. Managing Special EntriesThe cn=config entry in the simple, flat dse.ldif configuration file is not stored in the same highlyscalable database as regular entries. As a result, if many entries, particularly entries that are likely to beupdated frequently, are stored under cn=config, performance will probably suffer.

Although Red Hat recommends that simple user entries not be stored under cn=config forperformance reasons, it can be useful to store special user entries such as the Directory Manager entryor replication manager (supplier bind DN) entry under cn=config since this centralizes configurationinformation.

5. Tuning Transaction LoggingEvery Directory Server contains a transaction log which writes operations for all the databases itmanages. Whenever a directory database operation such as a modify is performed, the server creates asingle database transaction for all of the database operations invoked as a result of that LDAPoperation. This includes both updating the entry data in the entry index file and updating all of theattribute indexes. If all of the operations succeed, the server commits the transaction, writes theoperations to the transaction log, and verifies that the entire transaction is written to disk. If any of theseoperations fail, the server rolls back the transaction, and all of the operations are discarded. This all-or-nothing approach in the server guarantees that an update operation is atomic. Either the entireoperation succeeds permanently and irrevocably, or it fails.

Periodically, the Directory Server (through internal housekeeping threads) flushes the contents of thetransaction logs to the actual database index files and checks if the transaction logs require trimming.

If the server experiences a failure, such as a power outage, and shuts down abnormally, the informationabout recent directory changes is still saved by the transaction log. When the server restarts, thedirectory automatically detects the error condition and uses the database transaction log to recover thedatabase.

Although database transaction logging and database recovery are automatic processes that require nointervention, it can be advisable to tune some of the database transaction logging attributes to optimizeperformance.

5. Tuning Transaction Logging

31

WARNING

The transaction logging attributes are provided only for system modifications and diagnostics.These settings should be changed only with the guidance of Red Hat Technical Support. Settingthese attributes and other configuration attributes inconsistently may cause the directory to beunstable.

5.1. Changing the Location of the Database Transaction LogBy default, the database transaction log file is stored in the /var/lib/dirsrv/slapd-instance_name/db directory along with the database files themselves.Because the purpose of the transaction log is to aid in the recovery of a directory database that wasshut down abnormally, it is a good idea to store the database transaction log on a different disk from theone containing the directory database. Storing the database transaction log on a separate physical diskmay also improve directory performance.

To change the location of the database transaction log:

1. Stop Directory Server.

service dirsrv stop [instance_name]

2. Edit the dse.ldif file and change the nsslapd-db-logdirectory attribute to show the new logfile location. Provide the full path to the log directory in the attribute.

For information on the nsslapd-db-logdirectory attribute syntax, see the Directory ServerConfiguration, Command, and File Reference.

3. Copy the existing transation logs and the DBVERSION file into the new transaction log directory.

cp /var/lib/dirsrv/slapd-instance_name/db/{log.*,DBVERSION} /path/to/newdirectory

4. Restart Directory Server.

service dirsrv start [instance_name]

5.2. Changing the Database Checkpoint IntervalAt regular intervals, the Directory Server writes operations logged in the transaction log to the databaseindex files and logs a checkpoint entry in the database transaction log. By indicating which changeshave already been written to the database indexes, checkpoint entries indicate where to begin recoveryfrom the transaction log, thus speeding up the recovery process.

By default, the Directory Server is set up to send a checkpoint entry to the database transaction logevery 60 seconds. Increasing the checkpoint interval may increase the performance of directory writeoperations. However, increasing the checkpoint interval may also increase the amount of time required torecover directory databases after a disorderly shutdown and require more disk space due to largedatabase transaction log files. Therefore, only modify this attribute if you are familiar with databaseoptimization and can fully assess the effect of the change.

To modify the checkpoint interval while the server is running, use the ldapmodify command-line utilityto add the nsslapd-db-checkpoint-interval attribute to the cn=config,cn=ldbm


32

database,cn=plugins,cn=config entry.

For more information on the syntax of the nsslapd-db-checkpoint-interval attribute, refer to theDirectory Server Configuration, Command, and File Reference.

5.3. Disabling Durable TransactionsDurable transaction logging means that each LDAP update operation, comprised of a sequence ofdatabase operations in a transaction, is physically written to disk. Even though each LDAP operation canbe comprised of multiple database operations, each LDAP operation is treated as a single databasetransation. Each LDAP operation is both atomic and durable.

WARNING

Turning off durable transactions can improve Directory Server write performance with the risk ofdata loss.

When durable transaction logging is disabled, every directory database operation is written to thedatabase transaction log file but may not be physically written to disk immediately. If a directory changewas written to the logical database transaction log file but not physically written to disk at the time of asystem crash, the change cannot be recovered. When durable transactions are disabled, the recovereddatabase is consistent but does not reflect the results of any LDAP write operations that completed justbefore the system crash.

By default, durable database transaction logging is enabled. To disable durable transaction logging:

1. Use the ldapmodify command-line utility to add the nsslapd-db-durable-transactionsattribute to the cn=config,cn=ldbm database,cn=plugins,cn=config entry, and setthe value of this attribute to off.

For information on the syntax of the nsslapd-db-durable-transactions attribute, see theDirectory Server Configuration, Command, and File Reference.

2. Restart the Directory Server.


5.4. Specifying Transaction BatchingTo improve update performance when full transaction durability is not required, use the nsslapd-db-transaction-batch-val attribute to specify how many transactions will be batched before beingcommitted to the transaction log. Setting this attribute to a value of greater than 0 causes the server todelay committing transactions until the number of queued transactions is equal to the attribute value.This is similar to disabling durable transaction logging (in the nsslapd-db-durable-transactionattribute), but setting the batch value gives more control over how many transactions can be potentiallylost.

To specify or modify transaction batching while the server is running, use the ldapmodify command-line utility to add the nsslapd-db-transaction-batch-val attribute to the cn=config,cn=ldbm database,cn=plugins,cn=config entry.

For more information on the syntax and values of the nsslapd-db-transaction-batch-val attribute,refer to the Directory Server Configuration, Command, and File Reference.

5. Tuning Transaction Logging

33

6. Managing the Database Cache SettingsThe best place to maintain data (despite some popular opinion) is the database cache, not thefilesystem cache. Pages the database cache are used directly from process memory, while storingpages in the filesystem cache incurs a higher processing overhead, with a user/kernel transition and amemory copy of the payload.

(Storing pages in the filesystem cache made some sense on older 32-bit systems, when the filesystemcache was able to use 64-bit address spaces.)

Still, using the process cache provide much better performance, especially for larger directories.

The Directory Server directly uses two kinds of cache for its pages:

Entry cache, which contains individual directory entries

Database cache, which contains database index files (.db4 files)

The entry cache size impacts search and read performance for the server, so high-traffic systemsshould have higher entry cache settings. The database cache size can affect searches againstdatabase indexes.

Both the entry cache and database cache access the system's memory (RAM).

NOTE

The database cache is memory mapped. Some systems don't handle mmapping very well, so toavoid any issues, put the database home directory in tmpfs.

6.1. Tuning Entry CacheEntry cache is the memory (RAM) used to store directory entries in the internal representation. Thiscache is referenced for search and read operations by the Directory Server. Good settings for the entrycache can improve search performance in the Directory Server. As a rule of thumb, more memoryassigned to the entry cache, the better. At a minimum, the Directory Server entry cache must haveenough memory to handle its regular amount of use with additional memory to cover most spikes in useor other events.

For the best search performance, make the entry cache large enough to contain all entries in thedatabase.

If entry caching is not set, then the Directory Server reads the entry straight from the entry index for thedatabase (id2entry.db4 ). This operation involves disk I/O to find the entry and then converts theentry from the on-disk format (LDIF) to the in-memory representation (Slapi_Entry). Keeping an entrycache allows the server to skip the disk I/O and conversion steps in directory searches.

When setting this value, monitor the entry cache usage.

To set the entry cache size from the Directory Server Console:

1. Select the Configuration tab and, in the navigation tree, expand the Data icon.

2. Expand the suffix associated with the database, such as dc=example,dc=com , and then selectthe database.


34

3. In the Database Settings tab in the main window, the Memory available for cachefield sets the amount of memory available, in bytes, that is assigned for the entry cache.

This value can be modified from the command line by editing the nsslapd-cachememsize attributevalue for the LDBM plug-in instance for the database. For example:


dn: cn=database_name,cn=ldbm database,cn=plugins,cn=configchangetype: modifyreplace: nsslapd-cachememsizensslapd-cachememsize: 20971520

6.2. Tuning Database CacheThe database cache contains the Berkeley database index files for the database, meaning all of the *.db4 and other files used for attribute indexing by the database. This value is passed to the BerkeleyDB API function set_cachesize.

This cache size has less of an impact on Directory Server performance than the entry cache size, but ifthere is available RAM after the entry cache size is set, then increase the amount of memory allotted tothe database cache.

NOTE

The operating system also has a file system cache which may compete with the database cachefor RAM usage. Refer to the operating system documentation to find information on file systemcache settings and monitoring the file system cache.

The Berkeley database documentation for the set_cachesize function gives a good, solid description ofthe functions and behavior of the database cache parameter, nsslapd-dbcachesize.

When setting the database cache value, monitor the cache usage.

To set the database cache size from the Directory Server Console:

1. Select the Configuration tab and, in the navigation tree, expand the Data icon.

2. Select the Database Settings node, and then open the LDBM Plug-in Settings tab.

3. The database cache size is set in the Maximum cache size field. This sets the allotted cachesize for the entire database and all its index files in bytes.

6. Managing the Database Cache Settings

35

http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_set_cachesize.html

Attempting to set a value that is not a number or is too big for a 32-bit signed integer returns an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining theproblem.

4. Restart the server to apply the changes.


This value can be modified from the command line by editing the nsslapd-dbcachesize attribute valuefor the LDBM plug-in configuration. For example:


dn: cn=config,cn=ldbm database,cn=plugins,cn=configchangetype: modifyreplace: nsslapd-dbcachesizensslapd-dbcachesize: 20971520

Be sure to restart the server to apply the changes.

7. Tuning Database Link PerformanceDatabase link performance can be improved through changes to the Directory Server's connection andthread management.

7.1. Managing Connections to the Remote ServerEach database link maintains a pool of connections to a remote server. The connections to optimizeresources can be configured for the directory.

7.1.1. Managing Connections to the Remote Server Using the Console

1. Select the Configuration tab, expand the Data folder in the left pane, and select the suffix,then the database link to change.


36

2. Click the Limits and Controls tab in the right navigation pane.

3. In the Connection Management section, make changes to any of the following fields:

Maximum TCP connection(s). The maximum number of TCP connections that the databaselink establishes with the remote server. The default value is 3 connections.

Bind timeout. Amount of time, in seconds, before the database link's bind attempt times out.The default value is 15 seconds.

Maximum binds per connection. Maximum number of outstanding bind operations per TCPconnection. The default value is 10 outstanding bind operations per connection.

Time out before abandon (sec). Number of seconds before the server checks to see if atimed-out connection should be abandoned. The default value is 1 second.

Maximum LDAP connection(s). Maximum number of LDAP connections that the database linkestablishes with the remote server. The default value is 10 connections.

Maximum bind retries. Number of times a database link attempts to bind to the remote server.A value of 0 indicates that the database link will try to bind only once. The default value is 3attempts.

Maximum operations per connection. Maximum number of outstanding operations per LDAPconnection. The default value is 2 operations per connection.

Connection lifetime (sec). How long a connection made between the database link and remoteserver remains open. Connections between the database link and the remote server can bekept open for an unspecified time or closed after a specific period of time. It is faster to keep

7. Tuning Database Link Performance

37

the connections open, but it uses more resources. For slow connections, it may be desirable tolimit the connection time. A value of 0 indicates there is no limit. By default, the value is set to 0.

7.1.2. Managing Connections to the Remote Server from the Command LineUse ldapmodify to add connection attributes to the database link entry.

The default connection management attributes are stored in the following entry:

cn=default instance config,cn=chaining database,cn=plugins,cn=config

The connection management attributes for a specific database link are stored in the following entry:

cn=database_link,cn=chaining database,cn=plugins,cn=config

The connection management attributes specified in this entry take precedence over the attributesspecified in the cn=default instance config entry.


38

Table 11. Database Link Connection Management Attributes


nsOperationConnectionsLimit Maximum number of LDAP connections that thedatabase link establishes with the remote server.The default value is 20 connections perdatabase link instance.

nsBindConnectionsLimit Maximum number of TCP connections that thedatabase link establishes with the remote server.The default value is 3 connections.

nsConcurrentOperationsLimit Maximum number of outstanding operations perLDAP connection. The default value is 2operations per connection.

nsConcurrentBindLimit Maximum number of outstanding bind operationsper TCP connection. The default value is 10outstanding bind operations.

nsBindRetryLimit Number of times a database link attempts to bindto the remote server. A value of zero (0) indicatesthat the database link will try to bind only once.The default value is 3 attempts.

nsConnectionLife Connection lifetime, in seconds. Connectionsbetween the database link and the remote servercan be kept open for an unspecified time orclosed after a specific period of time. It is faster tokeep the connections open, but it uses moreresources. For example, it may be wise to limit theconnection time for a slow connection. A value of 0 indicates there is no limit. By default, the valueis set to 0. When the value is 0 and there is a listof failover servers in the nsFarmServerURLattribute, the first server is never contacted afterfailover to the alternate server. The default valueis 0 seconds.

nsBindTimeout Amount of time, in seconds, before the bindattempt times out. The default value is 15seconds.

nsAbandonedSearchCheckInterval Number of seconds that pass before the serverchecks for abandoned operations. The defaultvalue is 1 second.

7.2. Detecting Errors During Normal ProcessingProtect server performance by detecting errors during the normal chaining operation between thedatabase link and the remote server. The database link has two attributes — nsMaxResponseDelay andnsMaxTestResponseDelay — which work together to determine if the remote server is no longerresponding.

The first attribute, nsMaxResponseDelay, sets a maximum duration for an LDAP operation to complete. Ifthe operation takes more than the amount of time specified in this attribute, the database link's server


39

suspects that the remote server is no longer online.

Once the nsMaxResponseDelay period has been met, the database link pings the remote server. Duringthe ping, the database link issues another LDAP request, a simple search request for an object thatdoes not exist in the remote server. The duration of the ping is set using the nsMaxTestResponseDelay.

If the remote server does not respond before the nsMaxTestResponseDelay period has passed, thenan error is returned, and the connection is flagged as down. All connections between the database linkand remote server will be blocked for 30 seconds, protecting the server from a performance degradation.After 30 seconds, operation requests made by the database link to the remote server continue asnormal.

Both attributes are stored in the cn=config,cn=chaining database,cn=plugins,cn=configentry. The following table describes the attributes in more detail:

Table 12. Database Link Processing Error Detection Parameters


nsMaxResponseDelay Maximum amount of time it can take a remoteserver to respond to an LDAP operation requestmade by a database link before an error issuspected. This period is given in seconds. Thedefault delay period is 60 seconds. Once thisdelay period has been met, the database linktests the connection with the remote server.

nsMaxTestResponseDelay Duration of the test issued by the database link tocheck whether the remote server is responding. Ifa response from the remote server is notreturned before this period has passed, thedatabase link assumes the remote server isdown, and the connection is not used forsubsequent operations. This period is given inseconds. The default test response delay periodis 15 seconds.

7.3. Managing Threaded OperationsGenerally, Directory Server performs best using a limited number of threads for processing operations. Alimited number of threads can generally process operations very quickly, preventing the queue ofoperations waiting for a free thread from growing too long.

On multi-core or multi-CPU machines, a good starting point is to use two threads per core or CPU. Thisgives a good balance between performance and concurrency. If performance becomes an issue, orclients are not being served as quickly as possible, increase the number of threads.

However, the database link forwards operations to remote servers for processing. The database linkcontacts the remote server, forwards the operation, waits for the result, and then sends the result backto the client application. The entire operation can take much longer than a local operation.

While the database link waits for results from the remote server, it can process additional operations.When using database links, performance can be improved by increasing the number of threads available


40

for processing operations. While the local CPU waits for a response from a remote server, it canprocess other operations rather than stand idle.

To change the number of threads used for processing operations, change the nsslapd-threadnumberglobal configuration attribute in the cn=config entry. The default thread number is 30. Restart theserver after changing the thread count to apply the changes.

[1] The LDAP to o ls referenced in this g uid e are Mo zil la LDAP, installed with Directo ry Server in the /usr/lib64/mozldapd irecto ry o n Red Hat Enterp rise Linux 5 (6 4-b it). Ho wever, Red Hat Enterp rise Linux systems also inc lud e LDAP to o ls fro mOp enLDAP. It is p o ssib le to use the Op enLDAP co mmand s as sho wn in the examp les, b ut yo u must use the -x arg ument tod isab le SASL and allo w s imp le authenticatio n.


41

Red Hat Directory Server-8.2-Performance Tuning Guide-En-US

Documents

Transcript of Red Hat Directory Server-8.2-Performance Tuning Guide-En-US