RHEL 9.0 - Tuning Performance in Identity Management
RHEL 9.0 - Tuning Performance in Identity Management
RHEL 9.0 - Tuning Performance in Identity Management
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons
Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is
available at
http://creativecommons.org/licenses/by-sa/3.0/
. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must
provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,
Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift,
Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States
and other countries.
Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States
and/or other countries.
MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and
other countries.
Node.js ® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the
official Joyent Node.js open source or commercial project.
The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marks
or trademarks/service marks of the OpenStack Foundation, in the United States and other
countries and are used with the OpenStack Foundation's permission. We are not affiliated with,
endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
Abstract
This documentation collection provides instructions for adjusting common performance settings in
Identity Management on Red Hat Enterprise Linux 9.
Table of Contents
Table of Contents
. . . . . . . . . .OPEN
MAKING . . . . . . SOURCE
. . . . . . . . . .MORE
. . . . . . .INCLUSIVE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. . . . . . . . . . . . .
. . . . . . . . . . . . . FEEDBACK
PROVIDING . . . . . . . . . . . . ON
. . . .RED
. . . . .HAT
. . . . .DOCUMENTATION
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5. . . . . . . . . . . . .
. . . . . . . . . . . 1.. .IMPORTANT
CHAPTER . . . . . . . . . . . . . CONSIDERATIONS
. . . . . . . . . . . . . . . . . . . . WHEN
. . . . . . . TUNING
. . . . . . . . . IDM
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6. . . . . . . . . . . . .
. . . . . . . . . . . 2.
CHAPTER . . HARDWARE
. . . . . . . . . . . . . RECOMMENDATIONS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7. . . . . . . . . . . . .
.CHAPTER
. . . . . . . . . . 3.
. . FAILOVER,
. . . . . . . . . . . . LOAD-BALANCING,
. . . . . . . . . . . . . . . . . . . . . AND
. . . . . HIGH-AVAILABILITY
. . . . . . . . . . . . . . . . . . . . . .IN
. . .IDM
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8. . . . . . . . . . . . .
3.1. CLIENT-SIDE FAILOVER CAPABILITY 8
3.2. SERVER-SIDE LOAD-BALANCING AND SERVICE AVAILABILITY 8
.CHAPTER
. . . . . . . . . . 4.
. . .OPTIMIZING
. . . . . . . . . . . . .THE
. . . . .REPLICA
. . . . . . . . . TOPOLOGY
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
..............
4.1. DETERMINING THE APPROPRIATE NUMBER OF REPLICAS 10
4.2. CONNECTING THE REPLICAS IN A TOPOLOGY 10
4.3. REPLICA TOPOLOGY EXAMPLES 11
4.4. ADDITIONAL RESOURCES 12
.CHAPTER
. . . . . . . . . . 5.
. . ADJUSTING
. . . . . . . . . . . . . .THE
. . . . SEARCH
. . . . . . . . . .SIZE
. . . . .AND
. . . . .TIME
. . . . . .LIMIT
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
..............
5.1. ADJUSTING THE SEARCH SIZE AND TIME LIMIT IN THE COMMAND LINE 13
5.2. ADJUSTING THE SEARCH SIZE AND TIME LIMIT IN THE WEB UI 14
.CHAPTER
. . . . . . . . . . 6.
. . .ADJUSTING
. . . . . . . . . . . . .IDM
. . . . DIRECTORY
. . . . . . . . . . . . . SERVER
. . . . . . . . . PERFORMANCE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
..............
6.1. ADJUSTING THE ENTRY CACHE SIZE 15
6.2. ADJUSTING THE DATABASE INDEX CACHE SIZE 17
6.3. RE-ENABLING DATABASE AND ENTRY CACHE AUTO-SIZING 18
6.4. ADJUSTING THE DN CACHE SIZE 20
6.5. ADJUSTING THE NORMALIZED DN CACHE SIZE 21
6.6. ADJUSTING THE MAXIMUM MESSAGE SIZE 22
6.7. ADJUSTING THE MAXIMUM NUMBER OF FILE DESCRIPTORS 23
6.8. ADJUSTING THE CONNECTION BACKLOG SIZE 25
6.9. ADJUSTING THE MAXIMUM NUMBER OF DATABASE LOCKS 26
6.10. ADJUSTING THE INPUT/OUTPUT BLOCK TIMEOUT 27
6.11. ADJUSTING THE IDLE CONNECTION TIMEOUT 28
6.12. ADJUSTING THE REPLICATION RELEASE TIMEOUT 29
6.13. INSTALLING AN IDM SERVER OR REPLICA WITH CUSTOM DATABASE SETTINGS FROM AN LDIF FILE
31
6.14. ADDITIONAL RESOURCES 32
. . . . . . . . . . . 7.
CHAPTER . . ADJUSTING
. . . . . . . . . . . . . .THE
. . . . PERFORMANCE
. . . . . . . . . . . . . . . . . OF
. . . .THE
. . . . .KDC
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
..............
7.1. ADJUSTING THE LENGTH OF THE KDC LISTEN QUEUE 33
7.2. OPTIONS CONTROLLING KDC BEHAVIOR PER REALM 33
7.3. ADJUSTING KDC SETTINGS PER REALM 34
7.4. ADJUSTING THE NUMBER OF KRB5KDC PROCESSES 34
7.5. ADDITIONAL RESOURCES 35
.CHAPTER
. . . . . . . . . . 8.
. . .TUNING
. . . . . . . . SSSD
. . . . . . .PERFORMANCE
. . . . . . . . . . . . . . . . .FOR
. . . . .LARGE
. . . . . . . .IDM-AD
. . . . . . . . TRUST
. . . . . . . .DEPLOYMENTS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
..............
8.1. TUNING SSSD IN IDM SERVERS FOR LARGE IDM-AD TRUST DEPLOYMENTS 36
8.2. TUNING THE CONFIG TIMEOUT FOR THE IPA-EXTDOM PLUGIN ON IDM SERVERS 36
8.3. TUNING THE MAXIMUM BUFFER SIZE FOR THE IPA-EXTDOM PLUGIN ON IDM SERVERS 37
8.4. TUNING THE MAXIMUM NUMBER OF INSTANCES FOR THE IPA-EXTDOM PLUGIN ON IDM SERVERS
38
8.5. TUNING SSSD IN IDM CLIENTS FOR LARGE IDM-AD TRUST DEPLOYMENTS 39
8.6. MOUNTING THE SSSD CACHE IN TMPFS 40
1
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
8.7. OPTIONS IN SSSD.CONF FOR TUNING IDM SERVERS AND CLIENTS FOR LARGE IDM-AD TRUST
DEPLOYMENTS 41
8.7.1. Tuning options for IdM servers 41
8.7.2. Tuning options for IdM clients 42
8.8. ADDITIONAL RESOURCES 43
2
Table of Contents
3
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
The word master is being replaced with more precise language, depending on the context:
4
PROVIDING FEEDBACK ON RED HAT DOCUMENTATION
1. Make sure you are viewing the documentation in the Multi-page HTML format. In addition,
ensure you see the Feedback button in the upper right corner of the document.
2. Use your mouse cursor to highlight the part of text that you want to comment on.
3. Click the Add Feedback pop-up that appears below the highlighted text.
3. Fill in the Description field with your suggestion for improvement. Include a link to the
relevant part(s) of documentation.
5
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
Important considerations
6
CHAPTER 2. HARDWARE RECOMMENDATIONS
For 10,000 users and 100 groups: at least 4 GB of RAM and 4 GB swap space
For 100,000 users and 50,000 groups: at least 16 GB of RAM and 4 GB of swap space
For larger deployments, it is more effective to increase the RAM than to increase disk space because
much of the data is stored in cache. In general, adding more RAM leads to better performance for larger
deployments due to caching.
NOTE
A basic user entry or a simple host entry with a certificate is approximately 5—10 kB in
size.
7
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
[domain/example.com]
id_provider = ipa
ipa_server = _srv_, server.example.com
...
If an IdM server goes offline, the SSSD service on the IdM client connects to another IdM server
it has automatically discovered.
If you prefer to bypass DNS lookups for performance reasons, remove the _srv_ entry from the
ipa_server parameter and specify which IdM servers the client should connect to, in order of
preference:
[domain/example.com]
id_provider = ipa
ipa_server = server1.example.com, server2.example.com
...
If you have a geographically dispersed network, you can shorten the path between IdM clients
and the nearest accessible server by configuring multiple IdM replicas per data center.
The IdM replication mechanism provides active/active service availability: services at all IdM
replicas are readily available at the same time.
NOTE
8
CHAPTER 3. FAILOVER, LOAD-BALANCING, AND HIGH-AVAILABILITY IN IDM
NOTE
Red Hat recommends against combining IdM and other load-balancing or high-
availability (HA) software.
Many third-party high availability solutions assume active/passive scenarios and cause
unnecessary service interruption to IdM availability. Other solutions use virtual IPs or a
single hostname per clustered service. All these methods do not typically work well with
the type of service availability provided by the IdM solution. They also integrate very
poorly with Kerberos, decreasing the overall security and stability of the deployment.
9
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
NOTE
There are two exceptions to the limit of four replication agreements per replica:
You want failover paths if certain replicas are not online or responding.
In larger deployments, you want additional direct links between specific nodes.
Configuring a high number of replication agreements can have a negative impact on overall
performance: when multiple replication agreements in the topology are sending updates, certain
replicas can experience a high contention on the changelog database file between incoming updates
and the outgoing updates.
If you decide to use more replication agreements per replica, ensure that you do not experience
replication issues and latency. However, note that large distances and high numbers of intermediate
nodes can also cause latency problems.
10
CHAPTER 4. OPTIMIZING THE REPLICA TOPOLOGY
Replica Topology Example 1 shows four data centers, each with four servers. The servers are connected
with replication agreements.
Replica Topology Example 2 shows three data centers, each with a different number of servers. The
servers are connected with replication agreements.
12
CHAPTER 5. ADJUSTING THE SEARCH SIZE AND TIME LIMIT
If you set the values to -1, IdM will not apply any limits when searching.
IMPORTANT
Setting search size or time limits too high can negatively affect server performance.
5.1. ADJUSTING THE SEARCH SIZE AND TIME LIMIT IN THE COMMAND
LINE
The following procedure describes adjusting search size and time limits in the command line:
Globally
Procedure
1. To display current search time and size limits in CLI, use the ipa config-show command:
$ ipa config-show
2. To adjust the limits globally for all queries, use the ipa config-mod command and add the --
searchrecordslimit and --searchtimelimit options. For example:
3. To temporarily adjust the limits only for a specific query, add the --sizelimit or --timelimit
options to the command. For example:
13
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
5.2. ADJUSTING THE SEARCH SIZE AND TIME LIMIT IN THE WEB UI
The following procedure describes adjusting global search size and time limits in the IdM Web UI.
Procedure
14
CHAPTER 6. ADJUSTING IDM DIRECTORY SERVER PERFORMANCE
To adjust how the Directory Server caches data, see the following procedures:
To adjust the Directory Server’s resource limits, see the following procedures:
To adjust timeouts that have the most influence on performance, see the following procedures:
To install an IdM server or replica with custom Directory Server settings from an LDIF file, see the
following procedure:
Installing an IdM server or replica with custom database-settings from an LDIF file
IMPORTANT
Red Hat recommends using the built-in cache auto-sizing feature for optimized
performance. Only change this value if you need to purposely deviate from the auto-
tuned values.
The nsslapd-cachememsize attribute specifies the size, in bytes, for the available memory space for
the entry cache. This attribute is one of the most important values for controlling how much physical
RAM the directory server uses.
If the entry cache size is too small, you might see the following error in the Directory Server error logs in
the /var/log/dirsrv/slapd-INSTANCE-NAME/errors log file:
15
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
REASON: entry too large (83886080 bytes) for the import buffer size (67108864 bytes). Try
increasing nsslapd-cachememsize.
Red Hat recommends fitting the entry cache and the database index entry cache in memory.
Prerequisites
Procedure
This command displays the name of the back end database next to each suffix. Use the suffix’s
database name in the next step.
3. Set the entry cache size for the database. This example sets the entry cache for the userroot
database to 2 gigabytes.
5. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat
this procedure and adjust cache-memsize to a different value, or re-enable cache auto-sizing.
Verification steps
Display the value of the nsslapd-cachememsize attribute and verify it has been set to your
16
CHAPTER 6. ADJUSTING IDM DIRECTORY SERVER PERFORMANCE
Display the value of the nsslapd-cachememsize attribute and verify it has been set to your
desired value.
Additional resources
IMPORTANT
Red Hat recommends using the built-in cache auto-sizing feature for optimized
performance. Only change this value if you need to purposely deviate from the auto-
tuned values.
The nsslapd-dbcachesize attribute controls the amount of memory the database indexes use. This
cache size has less of an impact on Directory Server performance than the entry cache size does, but if
there is available RAM after the entry cache size is set, Red Hat recommends increasing the amount of
memory allocated to the database cache.
The database cache is limited to 1.5 GB RAM because higher values do not improve performance.
Prerequisites
Procedure
1. Disable automatic cache tuning, and set the database cache size. This example sets the
database cache to 256 megabytes.
17
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
3. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat
this procedure and adjust dbcachesize to a different value, or re-enable cache auto-sizing.
Verification steps
Display the value of the nsslapd-dbcachesize attribute and verify it has been set to your
desired value.
Additional resources
IMPORTANT
Red Hat recommends using the built-in cache auto-sizing feature for optimized
performance. Red Hat does not recommend setting cache sizes manually.
By default, the IdM Directory Server automatically determines the optimal size for the database cache
and entry cache. Auto-sizing sets aside a portion of free RAM and optimizes the size of both caches
based on the hardware resources of the server when the instance starts.
Use this procedure to undo custom database cache and entry cache values and restore the cache auto-
sizing feature to its default values.
18
CHAPTER 6. ADJUSTING IDM DIRECTORY SERVER PERFORMANCE
Default value 25 (25% for the database cache, 60% for the entry
cache)
Prerequisites
Procedure
a. Set the percentage of free system RAM to use for the database and entry caches back to
the default of 10% of free RAM.
nsslapd-cache-autosize: 10
b. Set the percentage used from the free system RAM for the database cache to the default
of 25%:
nsslapd-cache-autosize-split: 25
Verification steps
19
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
Additional resources
IMPORTANT
Red Hat recommends using the built-in cache auto-sizing feature for optimized
performance. Only change this value if you need to purposely deviate from the auto-
tuned values.
The nsslapd-dncachememsize attribute specifies the size, in bytes, for the available memory space for
the Distinguished Names (DN) cache. The DN cache is similar to the entry cache for a database, but its
table stores only the entry ID and the entry DN, which allows faster lookups for rename and moddn
operations.
Prerequisites
Procedure
1. (Optional) Display the database suffixes and their corresponding database names.
This command displays the name of the back end database next to each suffix. Use the suffix’s
database name in the next step.
2. Set the DN cache size for the database. This example sets the DN cache to 20 megabytes.
4. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat
20
CHAPTER 6. ADJUSTING IDM DIRECTORY SERVER PERFORMANCE
4. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat
this procedure and adjust dncache-memsize to a different value, or back to the default of 10
MB.
Verification steps
Display the new value of the nsslapd-dncachememsize attribute and verify it has been set to
your desired value.
Additional resources
IMPORTANT
Red Hat recommends using the built-in cache auto-sizing feature for optimized
performance. Only change this value if you need to purposely deviate from the auto-
tuned values.
The nsslapd-ndn-cache-max-size attribute controls the size, in bytes, of the cache that stores
normalized distinguished names (NDNs). Increasing this value will retain more frequently used DNs in
memory.
Prerequisites
Procedure
21
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
2. Retrieve the current value of the nsslapd-ndn-cache-max-size parameter and make a note of
it before making any adjustments, in case it needs to be restored. Enter the Directory Manager
password when prompted.
3. Modify the value of the nsslapd-ndn-cache-max-size attribute. This example increases the
value to 41943040 (40 MB).
4. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat
this procedure and adjust nsslapd-ndn-cache-max-size to a different value, or re-enable
cache auto-sizing.
Verification steps
Display the new value of the nsslapd-ndn-cache-max-size attribute and verify it has been set
to your desired value.
Additional resources
If the maximum message size is too small, you might see the following error in the Directory Server error
logs at /var/log/dirsrv/slapd-INSTANCE-NAME/errors:
Incoming BER Element was too long, max allowable is 2097152 bytes. Change the nsslapd-
maxbersize attribute in cn=config to increase.
The limit applies to the total size of the LDAP request. For example, if the request is to add an entry and
if the entry in the request is larger than the configured value or the default, then the add request is
denied. However, the limit is not applied to replication processes. Be cautious before changing this
attribute.
22
CHAPTER 6. ADJUSTING IDM DIRECTORY SERVER PERFORMANCE
Prerequisites
Procedure
1. Retrieve the current value of the nsslapd-maxbersize parameter and make a note of it before
making any adjustments, in case it needs to be restored. Enter the Directory Manager password
when prompted.
2. Modify the value of the nsslapd-maxbersize attribute. This example increases the value to
419430400.
4. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat
this procedure and adjust nsslapd-maxbersize to a different value, or back to the default of
209715200.
Verification steps
Display the value of the nsslapd-maxbersize attribute and verify it has been set to your desired
value.
Additional resources
23
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
If you set the nsslapd-maxdescriptors value higher than the total number of file descriptors that the
operating system allows the ns-slapd process to use, the Directory Server queries the operating system
for the maximum allowable value, and then uses that value.
Prerequisites
Procedure
1. Retrieve the current value of the nsslapd-maxdescriptors parameter and make a note of it
before making any adjustments, in case it needs to be restored. Enter the Directory Manager
password when prompted.
2. Modify the value of the nsslapd-maxdescriptors attribute. This example increases the value to
8192.
4. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat
this procedure and adjust nsslapd-maxdescriptors to a different value, or back to the default
of 4096.
Verification steps
Display the value of the nsslapd-maxdescriptors attribute and verify it has been set to your
desired value.
24
CHAPTER 6. ADJUSTING IDM DIRECTORY SERVER PERFORMANCE
nsslapd-maxdescriptors: 8192
Additional resources
If your IdM environment handles a large amount of connections, consider increasing the value of
nsslapd-listen-backlog-size.
Prerequisites
Procedure
1. Retrieve the current value of the nsslapd-listen-backlog-size parameter and make a note of it
before making any adjustments, in case it needs to be restored. Enter the Directory Manager
password when prompted.
2. Modify the value of the nsslapd-listen-backlog-size attribute. This example increases the value
to 192.
Verification steps
Display the value of the nsslapd-listen-backlog-size attribute and verify it has been set to your
desired value.
25
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
Additional resources
Increase the maximum number of locks if if you see the following error messages in the
/var/log/dirsrv/slapd-instance_name/errors log file:
Prerequisites
Procedure
1. Retrieve the current value of the nsslapd-db-locks parameter and make a note of it before
making any adjustments, in case it needs to be restored.
2. Modify the value of the locks attribute. This example doubles the value to 100000 locks.
26
CHAPTER 6. ADJUSTING IDM DIRECTORY SERVER PERFORMANCE
Verification steps
Display the value of the nsslapd-db-locks attribute and verify it has been set to your desired
value.
Additional resources
Prerequisites
Procedure
1. Retrieve the current value of the nsslapd-ioblocktimeout parameter and make a note of it
before making any adjustments, in case it needs to be restored. Enter the Directory Manager
password when prompted.
2. Modify the value of the nsslapd-ioblocktimeout attribute. This example lowers the value to
8000.
27
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
4. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat
this procedure and adjust nsslapd-ioblocktimeout to a different value, or back to the default
of 10000.
Verification steps
Display the value of the nsslapd-ioblocktimeout attribute and verify it has been set to your
desired value.
Additional resources
Red Hat recommends adjusting this value so stale connections are closed, but active connections are
not closed prematurely.
Prerequisites
Procedure
1. Retrieve the current value of the nsslapd-idletimeout parameter and make a note of it before
making any adjustments, in case it needs to be restored. Enter the Directory Manager password
when prompted.
28
CHAPTER 6. ADJUSTING IDM DIRECTORY SERVER PERFORMANCE
get nsslapd-idletimeout
Enter password for cn=Directory Manager on ldap://server.example.com:
nsslapd-idletimeout: 3600
2. Modify the value of the nsslapd-idletimeout attribute. This example lowers the value to 1800
(30 minutes).
4. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat
this procedure and adjust nsslapd-idletimeout to a different value, or back to the default of
3600.
Verification steps
Display the value of the nsslapd-idletimeout attribute and verify it has been set to your desired
value.
Additional resources
You can release a replica after a fixed amount of time by adjusting the repl-release-timeout parameter.
Red Hat recommends setting this value between 30 and 120:
If the value is set too low, replicas are constantly reacquiring one another and replicas are not
able to send larger updates.
A longer timeout can improve high-traffic situations where it is best if a server exclusively
accesses a replica for longer amounts of time, but a value higher than 120 seconds slows down
replication.
29
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
Prerequisites
Procedure
This command displays the names of the back end databases next to their suffix. Use the suffix
name in the next step.
2. Modify the value of the repl-release-timeout attribute for the main userroot database. This
example increases the value to 90 seconds.
4. (Optional) If your IdM environment uses the IdM Certificate Authority (CA), you can modify the
value of the repl-release-timeout attribute for the CA database. This example increases the
value to 90 seconds.
6. Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat
this procedure and adjust repl-release-timeout to a different value, or back to the default of 60
seconds.
Verification steps
Display the value of the nsds5ReplicaReleaseTimeout attribute and verify it has been set to
your desired value.
30
CHAPTER 6. ADJUSTING IDM DIRECTORY SERVER PERFORMANCE
NOTE
The Distinguished Name of the suffix in this example is dc=example,dc=com, but the
equals sign (=) and comma (,) must be escaped in the ldapsearch command.
\3D replacing =
\2C replacing ,
Additional resources
Prerequisites
You have determined custom Directory Server settings that improve the performance of your
IdM environment. See Adjusting IdM Directory Server performance .
Procedure
1. Create a text file in LDIF format with your custom database settings. Separate LDAP attribute
modifications with a dash (-). This example sets non-default values for the idle timeout and
maximum file descriptors.
dn: cn=config
changetype: modify
replace: nsslapd-idletimeout
nsslapd-idletimeout=1800
-
replace: nsslapd-maxdescriptors
nsslapd-maxdescriptors=8192
2. Use the --dirsrv-config-file parameter to pass the LDIF file to the installation script.
31
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
Additional resources
32
CHAPTER 7. ADJUSTING THE PERFORMANCE OF THE KDC
Default value 5
Valid range 1 - 10
Procedure
[kdcdefaults]
...
kdc_tcp_listen_backlog = 7
disable_last_success
If set to true, this option suppresses KDC updates to the Last successful authentication field of
principal entries requiring preauthentication.
disable_lockout
If set to true, this option suppresses KDC updates to the Last failed authentication and Failed
password attempts fields of principal entries requiring preauthentication. Setting this flag may
improve performance, but disabling account lockout may be considered a security risk.
33
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
Additional resources
Procedure
2. Specify any options and their desired values within the [dbmodules] section, and in the
respective Kerberos realm. In this example, you are setting the disable_last_success variable
for the EXAMPLE.COM Kerberos realm.
[dbmodules]
EXAMPLE.COM = {
disable_last_success = true
}
Additional resources
By default, the IdM installer detects the number of CPU cores and enters the value in the
/etc/sysconfig/krb5kdc file. For example, the file might contain the following entry:
KRB5KDC_ARGS='-w 2'
[...]
In this example, with the KRB5KDC_ARGS parameter set to -w 2, the KDC starts two separate
processes to handle incoming connections from the main process. You might want to adjust this value,
especially in virtual environments where you can easily add or remove the number of virtual CPUs based
on your requirements. To prevent performance issues or even IdM servers becoming unresponsive due
to an ever-increasing TCP/IP queue on port 88, simulate a higher number of processes by manually
setting the KRB5KDC_ARGS parameter to a higher value.
34
CHAPTER 7. ADJUSTING THE PERFORMANCE OF THE KDC
Procedure
2. Specify the value of the KRB5KDC_ARGS parameter. In this example, you are setting the
number of processes to 10:
KRB5KDC_ARGS='-w 10'
[...]
# systemctl daemon-reload
35
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
Prerequisites
Procedure
2. Add the following options to the [domain] section for your Active Directory domain. If you do
not already have a domain section for your AD domain, create one.
[domain/ad.example.com]
ignore_group_members = true
subdomain_inherit = ignore_group_members
...
Additional resources
Options for tuning SSSD in IdM servers and clients for large IdM-AD trust deployments
The ipa-extdom plug-in sends a request to SSSD for the data about AD users. If the information is not
in the SSSD cache, SSSD requests the data from an AD domain controller (DC). You can adjust the
config timeout value, which defines how long the ipa-extdom plug-in waits for a reply from SSSD
before the plug-in cancels the connection and returns a timeout error to the caller. The default value is
10000 milliseconds (10 seconds).
36
CHAPTER 8. TUNING SSSD PERFORMANCE FOR LARGE IDM-AD TRUST DEPLOYMENTS
The following example adjusts the config timeout to 20 seconds (20000 milliseconds).
WARNING
If you set a value that is too small, such as 500 milliseconds, SSSD might
not have enough time to reply and requests will always return a timeout.
If you set a value that is too large, such as 30000 milliseconds (30
seconds), a single request might block the connection to SSSD for this
amount of time. Because only one thread can connect to SSSD at a time, all
other requests from the plug-in have to wait.
If there are many requests sent by IdM clients, they can block all available
workers configured for the Directory Server on the IdM server. As a
consequence, the server might not be able to reply to any kind of request
for some time.
If IdM clients frequently receive timeout errors before their own search
timeout is reached when requesting information about AD users and
groups, the config timeout value is too small.
If the Directory Server on the IdM server is often locked and the pstack
utility reports that many or all worker threads are handling ipa-extdom
requests at this time, the value is too large.
Prerequisites
Procedure
Use the following command to adjust the config timeout to 20000 milliseconds:
37
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
You can tune the maximum buffer size for the ipa-extdom plugin, which adjusts the size of the buffer
where SSSD can store the data it receives. If the buffer is too small, SSSD returns an ERANGE error
and the plug-in retries the request with a larger buffer. The default buffer size is 134217728 bytes (128
MB).
The following example adjusts the maximum buffer size to 256 MB (268435456 bytes).
Prerequisites
Procedure
Use the following command to set the maximum buffer size to 268435456 bytes:
By default, the ipa-extdom plugin is configured to use up to 80% of the LDAP worker threads to handle
requests from IdM clients. If the SSSD service on an IdM client has requested a large amount of
information about AD trust users and groups, this operation can halt the LDAP service if it uses most of
the LDAP threads. If you experience these issues, you might see similar errors in the SSSD log file for
your AD domain, /var/log/sssd/sssd__your-ad-domain-name.com_.log:
You can adjust the maximum number of ipa-extdom instances by setting the value for the
ipaExtdomMaxInstances option, which must be an integer larger than 0 and less than the total number
of worker threads.
Prerequisites
Procedure
38
CHAPTER 8. TUNING SSSD PERFORMANCE FOR LARGE IDM-AD TRUST DEPLOYMENTS
2. Adjust the maximum number of instances. This example changes the value to 14:
3. Monitor the IdM directory server’s performance and if it does not improve, repeat this procedure
and adjust the value of the ipaExtdomMaxInstances variable.
Prerequisites
Procedure
b. Measure how long it takes to log in as an AD user with the time command. In this example,
from the IdM client client.example.com, log into the same host as the user ad-user from
the ad.example.com AD domain.
Password:
Last login: Sat Jan 23 06:29:54 2021 from 10.0.2.15
[ad-user@ad.example.com@client ~]$
d. Log out as soon as possible to display elapsed time. In this example, a single un-cached login
takes about 9 seconds.
39
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
real 0m8.755s
user 0m0.017s
sys 0m0.013s
3. Add the following options to the [domain] section for your Active Directory domain. Set the
pam_id_timeout and krb5_auth_timeout options to the number of seconds an un-cached login
takes. If you do not already have a domain section for your AD domain, create one.
[domain/example.com/ad.example.com]
krb5_auth_timeout = 9
ldap_deref_threshold = 0
...
[pam]
pam_id_timeout = 9
Additional resources
Options for tuning SSSD in IdM servers and clients for large IdM-AD trust deployments
Considerations
Cached information does not persist after a reboot if the SSSD cache is in RAM.
It is safe to perform this change on IdM servers, as the SSSD instance on an IdM server cannot
lose connectivity with the Directory Server on the same host.
If you perform this adjustment on an IdM client and it loses connectivity to IdM servers, users will
not be able to authenticate after a reboot until you reestablish connectivity.
Prerequisites
40
CHAPTER 8. TUNING SSSD PERFORMANCE FOR LARGE IDM-AD TRUST DEPLOYMENTS
Procedure
a. On RHEL 8.6 and higher, confirm that the SSSD user owns the config.ldb file:
# ls -al /var/lib/sss/db/config.ldb
-rw-------. 1 sssd sssd 1286144 Jun 8 16:41 /var/lib/sss/db/config.ldb
In this case, add the following entry to the /etc/fstab file as a single line:
b. On RHEL 8 versions lower than 8.6, the config.ldb file is owned by the root user:
# ls -al /var/lib/sss/db/config.ldb
-rw-------. 1 root root 1286144 Jun 8 14:15 /var/lib/sss/db/config.ldb
In this case, add the following entry to the /etc/fstab file as a single line:
This example creates a 300MB cache. Tune the size parameter according to your IdM and
AD directory size, estimating 100 MBs per 10,000 LDAP entries.
NOTE
41
Red Hat Enterprise Linux 9 Tuning performance in Identity Management
NOTE
The id user@ad-domain.com command still returns the correct list of groups, but
getent group ad-group@ad-domain.com returns an empty list.
NOTE
You should not set this option to true when the deployment involves an IdM server
with the compat tree.
subdomain_inherit
With the subdomain_inherit option, you can apply the ignore_group_members setting to the
trusted AD domains’ configuration. Settings listed in the subdomain_inherit options apply to both
the main (IdM) domain as well as the AD subdomain.
Default value 5
krb5_auth_timeout
Increasing krb5_auth_timeout allows more time to process complex group information in
environments where users are members of a large number of groups. Red Hat recommends setting
this value to the number of seconds a single un-cached login takes.
Default value 6
42
CHAPTER 8. TUNING SSSD PERFORMANCE FOR LARGE IDM-AD TRUST DEPLOYMENTS
ldap_deref_threshold
A dereference lookup is a means of fetching all group members in a single LDAP call. The
ldap_deref_threshold value specifies the number of group members that must be missing from the
internal cache in order to trigger a dereference lookup. If less members are missing, they are looked
up individually. Dereference lookups may take a long time in large environments and decrease
performance. To disable dereference lookups, set this option to 0.
Default value 10
Recommended value 0
43