Novell eDirectory 8.8 User guide

NetIQ

eDirectory

™

8.8 SP8

Tuning Guide

September 2013

Legal Notice

THISDOCUMENTANDTHESOFTWAREDESCRIBEDINTHISDOCUMENTAREFURNISHEDUNDERANDARE

SUBJECTTOTHETERMSOFALICENSEAGREEMENTORANON‐DISCLOSUREAGREEMENT.EXCEPTASEXPRESSLY

SETFORTHINSUCHLICENSEAGREEMENTORNON‐DISCLOSUREAGREEMENT,NETIQCORPORATIONPROVIDES

THISDOCUMENTANDTHESOFTWAREDESCRIBEDINTHIS

DOCUMENTʺASISʺWITHOUTWARRANTYOFANY

KIND,EITHEREXPRESSORIMPLIED,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTIESOF

MERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.SOMESTATESDONOTALLOWDISCLAIMERSOF

EXPRESSORIMPLIEDWARRANTIESINCERTAINTRANSACTIONS;THEREFORE,THISSTATEMENTMAYNOTAPPLY

TOYOU.

For

purposesofclarity,anymodule,adapterorothersimilarmaterial(ʺModuleʺ)islicensedunderthetermsandconditionsof

theEndUserLicenseAgreementfortheapplicableversionoftheNetIQproductorsoftwaretowhichitrelatesor

interoperateswith,andbyaccessing,copyingorusinga

Moduleyouagreetobeboundbysuchterms.Ifyoudonotagreeto

thetermsoftheEndUserLicenseAgreementyouarenotauthorizedtouse,accessorcopyaModuleandyoumustdestroyall

copiesoftheModuleandcontactNetIQforfurtherinstructions.

Thisdocument

andthesoftwaredescribedinthisdocumentmaynotbelent,sold,orgivenawaywithoutthepriorwritten

permissionofNetIQCorporation,exceptasotherwisepermittedbylaw.Exceptasexpresslysetforthinsuchlicense

agreementornon‐disclosureagreement,nopartofthisdocumentorthesoftwaredescribed

inthisdocumentmaybe

reproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,electronic,mechanical,orotherwise,

withoutthepriorwrittenconsentofNetIQCorporation.Somecompanies,names,anddatainthisdocumentareusedfor

illustrationpurposesandmaynotrepresentreal

companies,individuals,ordata.

Thisdocumentcouldincludetechnicalinaccuraciesortypographicalerrors.Changesareperiodicallymadetothe

informationherein.Thesechangesmaybeincorporatedinneweditionsofthisdocument.NetIQCorporationmaymake

improvementsinorchangestothesoftwaredescribedinthisdocumentatanytime.

U.S.Government

RestrictedRights:IfthesoftwareanddocumentationarebeingacquiredbyoronbehalfoftheU.S.

GovernmentorbyaU.S.Governmentprimecontractororsubcontractor(atanytier),inaccordancewith48C.F.R.227.7202‐4

(forDepartmentofDefense(DOD)acquisitions)and48C.F.R.2.101and12.212(for

non‐DODacquisitions),thegovernment’s

rightsinthesoftwareanddocumentation,includingitsrightstouse,modify,reproduce,release,perform,displayordisclose

thesoftwareordocumentation,willbesubjectinallrespectstothecommerciallicenserightsandrestrictionsprovidedinthe

licenseagreement.

©2013NetIQCorporationandits

affiliates.AllRightsReserved.

ForinformationaboutNetIQtrademarks,seehttps://www.netiq.com/company/legal/.

Contents 3

Contents

About this Book and the Library 5

About NetIQ Corporation 7

1 Overview 9

1.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

2 eDirectory Subsystems 11

2.1 FLAIM Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.1.1 Checkpoint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

2.1.2 Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

2.1.3 Roll-Forward Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

2.2 Thread Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

3 Analyzing System Bottlenecks 15

3.1 Disk I/O Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.2 CPU Subsystem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.3 Memory Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

3.4 Network Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

4 Tuning eDirectory Subsystems 19

4.1 FLAIM Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

4.1.1 Choosing Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4.1.2 Tuning for Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

4.2 Thread Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

4.3 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

4.3.1 Improving eDirectory Searches and Reads. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

4.3.2 Disabling ACL Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

4.4 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

4.5 Solid State Disk (SSD). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

4.6 NMAS Login Update Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

4.7 SSL Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

4.8 Import Convert and Export (ICE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

4.9 ldif2dib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

5 eDirectory Configuration 27

5.1 Configuring the FLAIM Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

5.1.1 Hard Cache Limit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

5.1.2 Dynamically Adjusting the Limit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

5.2 Modifying FLAIM Cache Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

5.2.1 Modifying FLAIM Cache Settings through iMonitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

5.2.2 Modifying FLAIM Cache Settings through _ndsdb.ini . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

4 NetIQ eDirectory 8.8 SP8 Tuning Guide

About this Book and the Library 5

About this Book and the Library

ThedescribeshowtoanalyzeandtunetheNetIQeDirectory(eDirectory)producttoyieldsuperior

performanceinalldeployments.

ForthemostrecentversionoftheNetIQeDirectory8.8SP8TuningGuide,seetheNetIQeDirectory8.8

onlinedocumentationWebsite.

Intended Audience

Theguideisintendedfornetworkadministrators.

Other Information in the Library

Thelibraryprovidesthefollowinginformationresources:

XDASv2AdministrationGuide

DescribeshowtoconfigureanduseXDASv2toauditeDirectoryandNetIQIdentityManager.

InstallationGuide

DescribeshowtoinstalleDirectory.Itisintendedfornetworkadministrators.

AdministrationGuide

DescribeshowtomanageandconfigureeDirectory.

TroubleshootingGuide

DescribeshowtoresolveeDirectory

issues.

What’sNewGuide

DescribesthenewfeaturesofeDirectory.

TheseguidesareavailableatNetIQeDirectory8.8documentationWebsite.

ForinformationabouttheeDirectorymanagementutility,seetheNetIQiManager2.7Administration

Guide.

6 NetIQ eDirectory 8.8 SP8 Tuning Guide

About NetIQ Corporation 7

About NetIQ Corporation

Weareaglobal,enterprisesoftwarecompany,withafocusonthethreepersistentchallengesinyour

environment:Change,complexityandrisk—andhowwecanhelpyoucontrolthem.

Our Viewpoint

Adaptingtochangeandmanagingcomplexityandriskarenothingnew

Infact,ofallthechallengesyouface,theseareperhapsthemostprominentvariablesthatdeny

youthecontrolyouneedtosecurelymeasure,monitor,andmanageyourp hysical,virtual,and

cloudcomputingenvironments.

Enablingcriticalbusinessservices,better

andfaster

WebelievethatprovidingasmuchcontrolaspossibletoITorganizationsistheonlywayto

enabletimelierandcosteffectivedeliveryofservices.Persistentpressureslikechangeand

complexitywillonlycontinuetoincreaseasorganizationscontinuetochangeandthe

technologiesneededtomanagethem

becomeinherentlymorecomplex.

Our Philosophy

Sellingintelligentsolutions,notjustsoftware

Inordertoprovidereliablecontrol,wefirstmakesureweunderstandthereal‐worldscenarios

inwhichITorganizationslikeyoursoperate—dayinanddayout.Thatʹstheonlywaywecan

developpractical,intellig entITsolutionsthatsuccessfullyyieldproven,

measurableresults.

Andthatʹssomuchmorerewardingthansimplysellingsoftware.

Drivingyoursuccessisourpassion

Weplaceyoursuccessattheheartofhowwedobusiness.Fromproductinceptionto

deployment,weunderstandthatyouneedITsolutionsthatworkwellandintegrateseamlessly

with

yourexistinginvestments;youneedongoingsupportandtrainingpost‐deployment;and

youneedsomeonethatistrulyeasytoworkwith—forachange.Ultimately,whenyousucceed,

weallsucceed.

Our Solutions

 Identity&AccessGovernance

 AccessManagement

 SecurityManagement

 Systems&ApplicationManagement

 WorkloadManagement

 ServiceManagement

8 NetIQ eDirectory 8.8 SP8 Tuning Guide

Contacting Sales Support

Forquestionsaboutproducts,pricing,andcapabilities,contactyourlocalpartner.Ifyoucannot

contactyourpartner,contactourSalesSupportteam.

Contacting Technical Support

Forspecificproductissues,contactourTechnicalSupportteam.

Contacting Documentation Support

Ourgoalistoprovidedocumentationthatmeetsyourneeds.Ifyouhavesuggestionsfor

improvements,clickAddCommentatthebottomofanypageintheHTMLversionsofthe

documentationpostedatwww.netiq.com/documentation.YoucanalsoemailDocumentation‐

[email protected].Wevalueyourinputandlookforwardtohearing

fromyou.

Contacting the Online User Community

Qmunity,theNetIQonlinecommunity,isacollaborat ivenetworkconnectingyoutoyourpeersand

NetIQexperts.Byprovidingmoreimmediateinformation,usefullinkstohelpfulresources,and

accesstoNetIQexperts,Qmunityhelpsensureyouaremasteringtheknowledgeyouneedtorealize

thefullpotentialofITinvestmentsupon

whichyourely.Formoreinfo rmation,visithttp://

community.netiq.com.

Worldwide: www.netiq.com/about_netiq/officelocations.asp

United States and Canada: 1-888-323-6768

Email: [email protected]

Web Site: www.netiq.com

Worldwide: www.netiq.com/support/contactinfo.asp

North and South America: 1-713-418-5555

Europe, Middle East, and Africa: +353 (0) 91-782 677

Email: [email protected]

Web Site: www.netiq.com/support

Overview 9

Overview

NetIQeDirectory8.8isastandards‐compliant,cross‐platform,highlyscalable,fault‐tolera nt,and

high‐performancedirectoryservicessolution.Thisguideprovidesinformationontuningyour

eDirectoryenvironmentforimprovedperformance.

Tuningforperformanceisacomplexactivity.ItrequiresunderstandingofboththeeDirectoryand

operatingsystemʹssubsystems.It

involvesmonitoringthesystemtoidentifybottlenecksandfixing

themoneatatime.ManyatimesresourcesarelimitedandtuningisconfinedtoeDirectoryandthe

operatingsystem.

Theguideisdividedintothefollowingsections:

 Prerequisites:Readthissectionbeforeattemptinganykindoftuningandthenproceed

tothe

othersections.

 eDirectorySubsystems:Thischapterdescribesprimarysubs ystemsthatinfluenceeDirectory

performance.

 AnalyzingSystemBottlenecks:Thischapterdescribesvarioussystemresourcesandtheir

influenceoneDirectoryperformance.

 TuningeDirectorySubsystems:ThischapterdescribeshowtoanalyzeandtuneeDirectory

undervariousconditionsandenvironments.

 eDirectory

Configuration:Thischapterdescribeshowtoconfigurevarioustunableparameters.

ToincreasetheoverallperformanceofyoureDirectoryenvironment,eDirectory8.8SP8provides

additionalparametersforoptimizingeDirectorybackgroundprocesses.Formoreinformationabout

thenewparameters,seeTID7015361.

1.1 Prerequisites

Ensurethatthefollowinggeneralprerequisitesaremetbeforeattemptingtotunethesystemfor

performance:

 AgoodeDirectorytreedesigncanenhanceeDirectoryperformance.Thefollowing

considerationsmightapply:

 Applicationsreadalltheinformationlocallyontheserverwithoutneedingtochainthe

requests.

 eDirectoryefficientlyhandlesobjectreferences

automatically.Ifpossible,objectsonaserver

shouldnotrefertoobjectsthatarenotlocalonthatserver,becausemaintainingnon‐local

objectreferencescantakemoretime.Ifsuchreferencesexist,backlinksmustbemaintained.

Thisbecomescumbersomeinlargedeployments.

 Ifyouneedagroupwith 10,000members

ormore,dynamicgroupsarerecommended.This

allowsyoutoavoidtheoverheadassociatedwithmaintainingreferencesforsomany

people.Chooseyourdynamicgroupconfigurationcarefully,becauseusingmultiple

dynamicgroupswithimpropersearchcriteriamightoverloadtheserverandreduceoverall

10 NetIQ eDirectory 8.8 SP8 Tuning Guide

serverperformance.Ifasearchoperationtakesalongtimetocomplete,thechosenindex

mightbeinefficient.Minimizetheuseofregular(static)groupsasthiscanincreasetree

walkingonlogin.

 UseACLsefficiently.Forexample,usethe[This]trusteeandassignitatthecontainerlevel

insteadof

usinganACLtemplatethatassignsrightstoitself.ThefewerACLs,thebetterthe

performance.FormoreinformationonACLs,see“eDirectoryRights ”intheNetIQ

eDirectory8.8SP8AdministrationGuide.

 Distributetheloadontomultiplereplicaservers.

 Althoughagoodtreedesignminimizestheneedfortree

walking,itisstillsometimes

necessary.Youcanconsider“AdvancedReferralCosting”intheNetIQeDirectory8.8SP8

AdministrationGuide.

 Ifloginsareslow,youcandisableloginupdates.Thereareseparatewaystodisablelogin

updatesforbothNDSandNetIQModularAuthenticationService(NMAS)logins.

However,it

isimportanttounderstandthesecurityimplications(http://www.novell.com/

documentation/nmas33/admin/data/bg8dphs.html).

 RunhealthchecksthroughiMonitor.Formoreinformation,see“KeepingeDirectoryHealthy”

intheNetIQeDirectory8.8SP8AdministrationGuide.Ensurethefollowing:

 Timeisinsyncacrossallreplicaservers.

 Replicasynchronizationandbackgroundprocessesareina

healthystate.

eDirectory Subsystems 11

eDirectory Subsystems

ThissectiondiscussestheeDirectorySubsystems.

 Section 2.1,“FLAIMDatabase,”onpage 11

 Section 2.2,“ThreadPool,”onpage 12

2.1 FLAIM Database

eDirectoryusesFLAIMasitsdatabase.FLAIM(FlexibleAdaptableInformationManager)isusedfor

traditional,volatile,andcomplexinformation.Itisaveryscalabledatabaseenginethatsupports

multiplereadersandasingle‐writerconcurrencymodel.Readersdonotblockwritersandwritersdo

notblockreaders.

Physically,FLAIMorganizesdata

inblocks.Someoftheblocksaretypicallyheldinmemory.They

representtheblockcache.Theentrycache(sometimescalledarecordcache)cacheslogicalentries

fromthedatabase.Entriesareconstructedfromtheitemsintheblockcache.FLAIMmaintainshash

tablesforbothcaches.Thehashbucket

sizeisperiodicallyadjustedbasedonthenumberofitems.

BydefaulteDirectoryusesablocksizeof4KB.TheblockcachesizeforcachingthecompleteDIBis

equaltotheDIBsize,andthesizerequiredfortheentrycacheisabouttwotofourtimestheDIB

size.

Whileretrievinganentry,FLAIMfirstchecks fortheentryintheentrycache.Iftheentryexists,

readingfromtheblockcacheisnʹtnecessary.Whileretrievingablockfromthedisk,FLAIMfirst

checksfortheblockinthecache.Iftheblockexists,adiskreadoperation

isnʹtnecessary.

Whenanentryisaddedormodified,thecorrespondingblocksforthatentryarenotdirectly

committedtothedisk,sothediskandmemorymightnotbeinsync.However,theupdatesmadeto

theentryareloggedtotheroll‐forwardlog(RFL).AnRFLis

usedtorecovertransactionsaftera

systemfailure.

LeastRecentlyUsed(LRU)isthereplacementalgorithmusedforreplacingitemsinthecache.

 Section 2.1.1,“Checkpoint,”onpage 11

 Section 2.1.2,“Indexes,”onpage 12

 Section 2.1.3,“Roll‐ForwardLog,”onpage 12

2.1.1 Checkpoint

Acheckpointbringstheon‐diskversionofthedatabasetothesamecoherentstateasthein‐memory

(cached)database.FLAIMcanperformacheckpointduringtheminimalupdateacti vityonthe

database.Itrunseverysecondandwritesthedirtyblocks(dirtycache)tothedisk.Blocksthatare



modifiedinthecachebutnotyetwrittentothediskarecalled“dirtyblocks”.FLAIMacquiresalock

onthedatabaseandperformsthemaximumamountofpossibleworkuntileitherthecheckpoint

12 NetIQ eDirectory 8.8 SP8 Tuning Guide

completesoranotherthreadiswaitingtoupdatethedatabase.Topreventtheon‐diskdatabasefrom

becomingtoofaroutofsync,thereareconditionsunderwhichacheckpointisforcedevenifthreads

arewaitingtoupdatethedatabase:

 Ifthecheckpointthreadcannotcompleteacheckpointwithina

specifiedtimeinterval(the

defaultis3minutes),itisforcedandthedirtycacheiscleaned.

 Ifthesizeofthedirtycacheislargerthanthe

maxdirtycache

(ifset),acheckpointisforcedto

bringdownthedirtycachesizeto

mindirtycache

(ifset)ortozero.

2.1.2 Indexes

Anindexisasetofkeysarrangedinawaythatsignificantlyspeedsupthetaskoffindingany

particularkeywithintheindex.Indexkeysareconstructedbyextractingthecontentsofoneormore

fields(attributes)fromtheentries.Indexesaremaintainedintheblockcache.Anychanges

tothe

indexedattributesrequireschangesintheindexblocks.

eDirectorydefinesadefaultsetofindexesforsystemattributes (fields).Systemattributessuchas

parentID

and

ancestorID

areusedforone‐levelandsubtreesearches.Theseindexescannotbe 

suspendedordeleted.Thedirectoryinternallyusesthem.Defaultindexesaredefinedforattributes

suchas

,

Surname

,

Given Name

,andsoon.Indexescanbeoftypepresence,value,andsubstring

indexes.Theseindexescanbesuspended.Ondeletiontheyareautomaticallyre‐created.

YoucanuseiManagerorthendsindexLightweightDirectoryAccessProtocol(LDAP)utilitytocreate

indexes.Indexes(http://www.novell.com/documentation/edir88/edir88/data/a5tuuu5.html) are

server‐specific.

ByenablingtheStorage

Manager(

StrMan

)taginDSTrace(ndstrace),youcanviewtheindexchosen

forthesearchqueries.

ThefollowingexampleisforaDSTracelogforasubtreesearchusing

“cn=admin”

,CN.

3019918240 StrMan: Iter #b239c18 query ((Flags&1)==1) &&

((CN$217A$.Flags&8=="admin") && (AncestorID==32821))

3019918240 StrMan: Iter #b239c18 index = CN$IX$220

ThefollowingexampleisforanDSTracelogforasubtreesearchusing

“Description= This is

for testing”

,

AncestorID

.

2902035360 StrMan: Iter #83075b0 query ((Flags&1)==1) &&

((Description$225A$.Flags&8=="This is for testing") && (AncestorID==32821))

2902035360 StrMan: Iter #83075b0 index = AncestorID_IX

2.1.3 Roll-Forward Log

FLAIMlogsoperationsforeachupdatetransactioninaroll‐forwardlog(RFL)file.AnRFLisusedto

recovertransactionsfromasystemfailureorwhenrestoringfromabackup.TheRFLfileistruncated

aftereverycheckpointiscompletedunlessitisturnedon(

rflkeepfiles

)byusingahotcontinuous

backup(http://www.novell.com/documentation/edir88/edir88/data/a2n4mb7.html).

2.2 Thread Pool

eDirectoryismulti‐threadedforperformancereasons.Inmulti‐threading,whenthesys tem isbusy,

morethreadsarecreatedtohandletheloadandsomethreadsareterminatedtoavoidextra

overhead.Itisinefficientandcostlytofrequentlycreateanddestroythreads.Insteadofspawning

eDirectory Subsystems 13

newthreadsanddestroyingthemforeverytask,anumberofthreadsarestartedandplacedina

pool.Thesystemallocatesthethreadsfromthethreadpooltoseveraltasksasneeded.Tasksareheld

intwotypesofqueues:

 TasksthatneedimmediateschedulingareheldintheReady

queue.

 Tasksthatneedschedulingatalatertimeare heldintheWaitingqueue.

Noteverymoduleusesthethreadpool.Theactualnumberofthreadsfortheprocessismorethanthe

numberthatexistsinthethreadpool.Forexample,FLAIMmanagesitsbackgroundthreads

separately.

Runningthe



ndstrace -c threads

commandreturnsthefollowingthreadpoolstatistics:

 Thetotalnumberofthreadsthatarespawned,terminated,andidle.

 Thetotalnumberofworkerthreadscurrentlyandthepeaknumberofworkerthreads.

 ThenumberoftasksandpeaknumberoftasksintheReadyqueue.

 Theminimum,maximumand

averagenumberofmicrosecondsspentintheReadyqueue.

 ThecurrentandmaximumnumberoftasksintheWaitingqueue.

Anexampleofasamplethreadpool:

Therearecertainthreadpoolparameters:

 n4u.server.max‐threads:Maximumnumberofthreadsthatcanbeavailableinthepool.

 n4u.server.idle‐threads:Maximumnumberof

idlethreadsthatcanbeavailableinthepool.

 n4u.server.start‐threads:Numberofthreadsstarted.

Runthe

ndsconfig get

and

ndsconfig set

commandstogetandsetthethreadpoolsize.

14 NetIQ eDirectory 8.8 SP8 Tuning Guide

Analyzing System Bottlenecks 15

Analyzing System Bottlenecks

ThereareseveralsystemresourcesthatinfluenceeDirectoryperformance.Inaddition,upgradingto

thelatestversionofoperatingsystemimprovesperformance.

 Section 3.1,“DiskI/OSubsystem,”onpage 15

 Section 3.2,“CPUSubsystem,”onpage 16

 Section 3.3,“MemorySubsystem,”onpage 16

 Section 3.4,“NetworkSubsystem,”onpage 17

3.1 Disk I/O Subsystem

Thedisksubsystemisthemostcommonbottleneck.TheI/Otakesarelativelylongtimewithlonger

queues,resultinginhighdiskutilizationandidleCPUcycles.Usetheiostattoolduringexpected

peakloadstodeterminetheaverageresponsetimeindicators.

Diskread,write,andupdateoperationscanbesequential

orrandom.Randomreadsandupdatesis

themostcommonaccesspatternineDirectorydeployments.

Somesolutionsforrandomworkloads:

 IncreasetheRAM.Thisallowscachingfrequentlyuseddataorread‐aheaddataatthefilesystem

layer.ItalsoallowscachingtheDIBwithintheFLAIMsubsystem.

 Usededicatedvolumesfor

theDIB.Filesystemperformanceimprovesforvolumescreated

closertothespindle.UsededicatedvolumesforRFLandotherlogs.

 Asdisksdevelopincreasinglatencyoveraperiodoftimebecauseoffragmentation,theyshould

bedefragmented.

 AddseparatediskdrivesforFLAIMRFL.Thistypeofloggingcanbeperformed

onhigh‐speed

disks.

 UseaRAID10(1+0)environmentwithmorediskdrives.

FilescreatedbyeDirectorycangrowto4GB.Filesystemsthatareoptimizedtohandlelargefiles

workefficientlywitheDirectory.

 ForSolaris™,theVeritas*VxFSfilesystemisanextent‐basedfilesystemwherethefilesystem

metadataisoptimizedforlargefiles.TheUFSfilesystemisindirectlyblock‐based,wherethe

filesystemmetadataisstoredinlargernumberofblocks.Itcanevenbescatteredforlargefiles,

whichmakesUFSslowerforlargerfiles.

 ForLinux™,theReiserfilesystemisafastjournalingfilesystem

andperformsbetterthanthe

ext3filesystemonlargeDIBsets.However,thewritebackjournalingmodeofext3isknownto

matchtheperformanceoftheReiserfilesystemalthoughthedefaultorderedmodeprovides

betterdataconsistency.XFSisahigh‐performancejournalingfilesystem,capableofhandling

largefiles

andofferingsmoothdatatransfers.eDirectory8.8SP8issupportedonSLES1132and

64‐bitplatformshavingXFSfilesystem.

16 NetIQ eDirectory 8.8 SP8 Tuning Guide

FLAIMsupportsablocksizeof4KBand8KB.Bydefault,itis4KB.Thisissameasthedefaultblock

sizeonLinux(

tune2fs -l device

).However,onSolaris,theUFSfilesystemiscreatedwitha

defaultblocksizeof8KB(

df -g mountpoint

).IftheFLAIMblocksizeissmallerthanthefilesystem

blocksize,partialblockwritescanhappen.Ifthedatabaseblocksizeislargerthanthefilesystem

blocksize,individualblockreadsandwritesaresplitintoaseriesofdistinctphysicalI/Ooperations.

Therefore,youshouldalwayskeepthe

FLAIMblocksizethesameasthefilesystemblocksize.

BlocksizescanbecontrolledonlyduringthecreationoftheDIB.Addaline“blocksize=8192”to

_ndsdb.ini

tocreatetheDIBwith8Kblocksize.

ChoosingtherightblocksizedependsontheaveragesizeoftheFLAIMrecordonyourdeployments.

Empiricaltestingisrequiredontherightsetoftestdatatodeterminewhichblocksizeisbetterfor

yourdeployment.

3.2 CPU Subsystem

eDirectoryisbuiltonahighlyscalablearchitecture.Theperformanceincreaseswiththeincreasein

thenumberofprocessors.Increasedthroughputisobserveduntilatleastthe12thprocessorunder

heavyload.However,thisincrease issubjecttotheperformanceofotherresourcesduringthe

increasingloadonthesystem.Servers

areoftenunder‐configuredwithdisksandmemory.You

shouldaddmoreprocessorsonlyunderthefollowingcircumstances:

 Iftheaverageloadoncurrentlyusedprocessorsisbeyond75%percentutilization.Ifthecurrent

CPUutilizationisbelow75%,addingmoreCPUsmightnotimproveperformance.

 Ifthereisa

satisfyingincreaseinperformance.

IfeDirectoryisconfiguredwithtoomanythreads,considerableamountofCPUtimeisspentin

contextswitching.Inthiscase, adecreaseinthreadscanresultinbetterthroughput.

3.3 Memory Subsystem

ServerapplicationscanperformsignificantlybetterwhenRAMisincreased.CachingtheeDirectory

databaseinthefilesystemorintheFLAIMcachecanleadtoimprovedperformancesofsearchand

modifyoperations.However,youcannotcachethecompleteDIBinlargedeployments.Avoidpage

swappingevenifitmeansreducingthe

FLAIMentryandblockcachesizes.Usethevmstattoolto

findmoreinformationonthememorysubsystem.

AseDirectoryusesmemory,eachthreadfromthethreadpooluses1MBofRAMforitsstack.By

default,theFLAIMcachesizeissetto200MB.

Severalloadablemodulesare

startedwheneDirectorystarts,buttheloadablemodulearchitectureof

eDirectoryallowsyoutoreducethememoryfootprintoftheprocessbynotloadingtheunused

modules(forexample,SecretStore,LDAP,oreMBox).Inaddition,productslikeIDMhavesome

modulesthatruninsideeDirectory.

ThememoryusedbyeDirectorymight

appeartobegrowing.Althoughmemoryisfreedbyan

eDirectoryprocess,itmightnotbereleasedtothesystemfreepoolbecausethememorymanager

usedinternallybyeDirectorytriestooptimizethememoryallocationsforfuture.Thisisoneofthe

reasonsfornotrecommendingFLAIMdynamicconfiguration.

UsetheToptooltofindthe

approximatevirtualmemorysizeofthendsdprocessinyourdeployment.

Themaximummemorythatcanbe allocatedtoaprocessislimitedinseveralways.Acertainamount

ofRAMisusedbytheoperatingsystemandotherprocessesonthesystem.The

operatingsystemcan

imposelimitationsonphysicalRAMthataprocessuses.

Analyzing System Bottlenecks 17

3.4 Network Subsystem

Typicaldeploymentshavesufficientbandwidthtohandlepeaknetworkload.Adequatebandwidth

reduceserrors,collisions,anddroppedpackets.Usethenetstattooltodeterminethenetwork

statistics.

SeveraloperatingsystemsprovideTCP/IPtunableparametersfortuningnetworkintensiveservers.

Forinformation,refertothedocumentationfortheoperatingsystems.

Ifthenetwork

isthebottleneck,youshouldincreasethebandwidth.Configuringadedicatedprivate

networkbetweentheapplicationserversandtheeDirectoryservermightalsohelpinreducingthe

networkcongestion.

18 NetIQ eDirectory 8.8 SP8 Tuning Guide

Tuning eDirectory Subsystems 19

Tuning eDirectory Subsystems

Thissectionincludesthefollowinginformation:

 Section 4.1,“FLAIMDatabase,”onpage 19

 Section 4.2,“ThreadPool,”onpage 20

 Section 4.3,“A C L s , ” onpage 21

 Section 4.4,“Replication,”onpage 23

 Section 4.5,“SolidStateDisk(SSD),”onpage 24

 Section 4.6,“NMASLoginUpdateInterval,”onpage 25

 Section 4.7,“SSLOverhead,”onpage 25

 Section 4.8,“ImportConvertandExport(ICE),”onpage 25

 Section 4.9,“ldif2dib,”onpage 25

4.1 FLAIM Database

CachesizingisarguablythemostimportantfactoraffectingtheoverallperformanceofeDirectory.

Thegreaterthenumberofitems(blocksandentries)thatcanbecached,thebettertheoverall

performanceis.Thepercentageoftimesthattheblocksorentriesarefoundinthecacheiscalledthe

hit

ratio.Ahigherratioresultsinbetterperformance.iMonitorcanbeusedtoviewthehitratio.

Theblockcacheismostusefulforupdateoperations.Theentrycacheismostusefulforoperations

thatperformsabase‐scopedsearchforanentry.However,bothone‐levelandsub‐treescoped



searchesusetheentrycacheaswellastheblockcache.Theblockcacheisusedtoretrieveindexes.

Createtherighttypeofindexesasnecessary,formoreinformationsee“ChoosingIndexes”on

page 20.

Afaultintheblockcachecanresultinadiskreadoperation.Diskreads

arealwaysexpensive,but

theycanbeavoidedifablockisretrievedfromthefilesystemcache.

Theamountofmemoryrequiredtocachethecompletedatabaseintheblockcacheisnearlythesize

ofthedatabaseonthedisk,andtheamountofmemoryrequiredtocachethecomplete

databasein

theentrycacheisnearlytwotofourtimesthedatabasesizeonthedisk.Whenyouhavelessmemory

onasystem,tryasmallerentrycacheandamuchlargerblockorfilesystemcache.

Ifreadsarelocalizedtoasetofentriesinthedirectory,you

shouldincreasetheentrycacheaslongas

itresultsinanimprovedentrycache hitratio.

IfthereadpatterniscompletelyrandomandtheDIBismuchlargerthantheavailableRAM,you

shouldhavealargerblockcacheorafilesystemcachethantheentrycache.

Anymethodyou

usetotuneeDirectoryforanimprovedperformanceneedsempiricaltesting.A

goodratioofentrytoblockcacheforsearch‐intensiveenvironmentsis2:1ratio.Ensurethatsufficient

memoryisleftforotherprocesses.AvoidpageswappingevenifitmeansreducingtheFLAIMcache

sizes.

20 NetIQ eDirectory 8.8 SP8 Tuning Guide

BecauseFLAIMprovidespreallocatedcaching,memoryallocatedtotheeDirectorycacheisnever

fragmentedbythenativeoperatingsystemmemorymanager.

4.1.1 Choosing Indexes

Indexesaremeanttoimprovetheone‐levelorsub‐treescopedsearchperformance.Dynamicgroups

alsouseone‐levelorsub‐treescopedsearches.Indexesarenotusedforbase‐scopedsearches.

BecauseaPresenceindexdoesnotdifferent iat ebetweenpresentandnotpresent(deleted)values,itis

mainlyused

forinternalpurpose.IfapplicationsrunaPresencetypesearchquery,thisindexisnever

used,soapplicationsshouldnothavePresenceindexescreatedforthem.

ApplicationscancreateaValueindexforanattribute,whichissuffi cient formostofthesearches.

FLAIMcanuseaValueindexforperforming

bothPresenceaswellasSubstringsearchesonthe

attributes.

ASubstringindexcansignificantlydeceleratetheupdatesperformedonanattribute.Thenumberof

indexblocksrequiredtosupportaSubstringindexisquitelargecomparedtotheValueindex.This

meansmoreblockcacheisrequiredtocachethem.

CreateaSubstringindexonlywhennecessary.A

Valueindexshouldsufficeformostsearches.However,ifSubstringsearchesdonotyieldacceptable

performancewithaValueindex,youcan createaSubstringindexonthoseattributes.

Ifasearchoperationtakesalongtimetocompletedespitethechosenindex,

youmightintroducea

newervalueindexononeoftheattributesofthesearchfilter.Picktheattributethatyieldsbestresults

whenindexed.

4.1.2 Tuning for Updates

Theblockcacheismostusefulforupdateoperations.Indexesalsoresideintheblockcache.

Althoughindexeshelpinfastersearches,havingtoomanyindexeskeepstheserverbusy

maintainingthem.Indexesaremodifiedifattributevaluesaremodified,added,ordeleted.During

largeuploadoperations,indexescanbedisabled

forfasterupload.

HavingtheRFLdirectoryonadifferentdiskthantheDIBdirectoryimprovesperformance.

Anacceptablelimitforresponsetimeforanupdateoperationcanbecontrolledbyusingthe

maxdirtycache

.Forexample,ifanacceptablelimitfortheserverresponseis5secondsandrandom

diskwritespeedis20MBpersecond,thenthe

maxdirtycache

shouldbesetas20x5=100MB.

Ensurethattheblockcachecanholdthesedirtyblocksinmemory.SeeSection 5.2.2,“Modifying

FLAIMCacheSettingsthrough_ndsdb.ini,”onpage 29formoreinformation.

4.2 Thread Pool

Bydefault,themaximumnumberofthreadsthatcanbeavailableinthethreadpoolis256.This

numbershouldsufficeformostdeployments.Itcanbeincreas e dto512threadsinlarger

deployments.Youshouldincreasethenumberofthreadsinthepoolinthefollowingcases:

 Ifthenumber

ofidlethreadsisoftenzero.

 IftheaverageamountoftimespentbyataskintheReadyqueueishighandincreasing.

 IfthenumberoftasksintheReadyqueueishighandincreasing.

Keepincreasingthemaxthreadsiftheperformanceoftheserverincreases.Itshould

alsoresultin

increasedCPUutilization.

Page is loading ...

Novell eDirectory 8.8 User guide

Related papers

Other documents