Creating this one behalf of Aditi Tyagi
Sorry to ask another basic query, but where to configure these additional LDAP banks?
Is it to be done while creating a user directory in Admin UI?
If yes, what is a better approach: failover or load-balancing for multiple connections to the same LDAP server?
Thanks in advance!
There is no point in having Failover configuration if the underlying LDAP server is same.
The reason being if it failed for first bank, there is a greater chance that it will fail for other consequent banks as well.
So, Load balancing configuration is recommended.
cadir-01, cadir-01-alias1,cadir-01-alias2 all points to the same underlying LDAP server.
Please let me know if any questions.
Hi Ujwol, Great info on LDAP banks.
We seem to be running into occasional idle timeout connection issue with our LDAP. Now if I create 3LDAP banks with same server as mentioned above, then I will have 9 connections. Does it mean I have chances of 9 idle connections depending on the usage.
For a setup that sees occasional idle timeouts, is it even worth considering LDAP Banks? I have an active issue that I am currently working on, I see re-bind attempts from a thread which was actively LDAP operation 20 seconds ago.
Yes, if you have 3 ldap banks you will have 9 connections.
As I explained in the other thread, the 3 PING (one for each bank) connections can not idle out as it polls LDAP server periodically, but for remaining 6 connections depending upon it's usage there is a possibility to idle out.
I wouldn't worry too much of it idling as this doesn't cause any functional issue. As policy server will reestablish the idled out connection anyway. So, apart from those bad looking error in smps.log it isn't doing much harm.
The problem when this idle timeout happens, a simple logon takes close to 30-60 seconds, sometimes causing upstream servers to timeout. While we can increase upstream server timeouts, app team is worried about user experience.
Is this expected as part of idle-time out issue or it could be something else?
30-60 seconds is bad. Yes, it should take little longer as it has to re-initialize those connections, including bind but I don't expect it to be that bad.
Have you verified if the delay is isolated to Policy server side and not on the LDAP side? There is a possibility that LDAP server response to bind request may be slow?
Exactly, I have an active case with Support on this , while I dont have Fiddler or TCP dump(as this happens occasionally) I have all other SPS/Policy server traces. How can I verfiy LDAP connections are taking longer? Any pointers to that. We cant enable extensive tracing on LDAP as it handles millions of transactions from thousands of systems.
TCP dump is the best. May be you can perform ldapsearch (which does ldap bind) and capture server response time using TCP dump?But again if the issue is intermittent this may not be able to capture.
PS trace log also should give indication of delays from LDAP side. Look at the report (Trace analysis report) related to LDAP request wait time and LDAP Bank wait time.
(Ah , again we ended up deviating from thread topic , may be let's spin off this discussion into new thread as well Anil)
Thanks a lot Ujwol for this thread and the detailed explanation!!
So, creating 2-3 LDAP banks for the same directory server in load balancing mode and making a hostfile entry in the policy server system, will help in managing thousands(9 connections for 1 directory with 4096 max-user setting) of active user sessions to the directory?
In our environment, we have 2 user stores(in multi-write replication, DISP recovery) configured in failover mode with the policy servers. In the recent past, we have faced some errors in policy server logs where-in the dsa's were up and running but still policy server was not able to communicate with it. Also, in this scenario, the failover also didn't worked, i.e, the request for user search didn't got transferred to the other LDAP server.
As per CA recommendation, we increased the max-user value at dsa level and so far have not faced the issue again.
But, will having multiple LDAP banks for each of the above servers help in the overall login(authentication by LDAP specially) performance?
Yes, Aditi. Having more LDAP banks definitely helps in case of large concurrent request.
Thanks Ujwol for the update, I will cross-check it in our environment and will update this thread in case of further queries!
We have Identity Minder integrated with SiteMinder. In this case, if I am creating such LDAP banks in SM AdminUI and the same directory is in use by Identity Minder, will it change the configuration of directory in IM mgmt console as well?
Also, if we have multiple policy servers in our environment using same policy store then, the hostfile entry for the above LDAP banks will be done at policy store system or each policy server system?
No , it won't change config on IM.
The host file changes goes to each Policy server from where LDAP connection are made.
We have 2 user stores and I have created one LDAP alias for each user store.
How I can check if these are sufficient for my environment and number of concurrent binds/connections created now by each policy server?
max-users set to 4096 in dsa and idle-user-bind set to default 3600.
Will it be calculated like:
4096*3(no. of binds created by Policy server)*4(total number of LDAP banks: 2 user stores and 2 alias)?
There is no formula to calculate the optimum number of ldap banks.
It depends upon the max concurrent load that you expect, the processing speed of the policy server OS etc among other factors.
Best way to identify if you have sufficient LDAP banks is to collect ps trace logs during peak load and run trace analysis report to check if it LDAPwait time is high during peak load. If LDAPwait time is high it means that the normal priority thread has to wait longer to get LDAP banks connection. This is when you increase LDAP banks and run the report again to see if that improves.
You may need to do couple of iterations to identify what suita best for you.
How do we define no. of connection with each LDAP bank?
Also, what is the significance of creating 3 different groups with same server?
Please find my response below :
Q. How do we define no. of connection with each LDAP bank?
A. There is a fixed 3 connection created per LDAP bank and is not configurable. These connections are :
Q. What is the significance of creating 3 different groups with same server?
A. The purpose of creating multiple LDAP group (LDAP Bank ) is to actually increase the number of available LDAP connection to these servers. This will help specially during high load where there are multiple simultaneous LDAP requests.
What is the significance of creating 3 different groups with same server?
Que: Configuring same LDAP Bank in three group then it will create 9 connection with that LDAP Bank:
3 for Ping server
3 for User Connection
3 for Dir connection
Please confirm above.
Also, Is it possible that this kind of configuration will lead to Performance issues? If so, kindly let us know the CA recommended no. of groups (For same LDAP Bank) that we can configure in order to minimize performance issue.
That's correct. Total no of connections = 3* No of LDAP banks.
The purpose of increasing banks is to improve the LDAP connections.
There is no formula or recommended value for how many banks is sufficient, as it depends on various factors such as user load, cpu , LDAP response times etc..
You should play around with it. Compare the throughput/response times when you increase LDAP banks with different level of user load, to arrive at the optimal value.