Symantec Access Management

 View Only

How to Tune Oracle Directory Server for Policy Store 

Jun 23, 2014 02:31 AM

1. For larger policy stores, edit the following ldif file:

policy_server_home/xps/db/OracleDirectoryServerBrowse.ldif  (or SunOneBrowse.ldif depending upon SiteMinder version)

2. Replace the Root_DN shown in the following line:

            vlvBase: ou=xps,ou=PolicySvr4,ou=siteminder,ou=netegrity,Root_DN

            ...with the base dn of your policy store, as shown in the following line:

            vlvBase:ou=xps,ou=PolicySvr4,ou=siteminder,ou=netegrity,base_dn_of_your_policy_store

3. Run the following command:

            smldapsetup ldmod -fOracleDirectoryServerBrowse.ldif –v

4. Stop the database and re‑index the vlv indexes with the following commands:

dsadm stop Instance_Path

dsadm reindex -bl -t "Sort xpsSortKey" Instance_Path policysvr4

5.  Re-index other XPS attributes:

            dsadm reindex -b -t xpsNumber -t xpsValue -t xpsSortKey -t xpsCategory -t xpsParameter -t xpsIndexedObject -t xpsTombstone instance_path policysvr4

6. Start the directory server instance.

            dsadm start Instance_Path

Note: instance_path Specifies the path to the directory server instance functioning as the policy store.

For more information about dsadm command, see your vendor–specific documentation.


Additionally, You can also have a look at the following parameters (values are given as samples. You would need to validate them with your Oracle Directory Server administrator and CA Services consultant ).

 

1. Make sure that the LDAP cache on the LDAP server is sized properly. You could consider increasing if at 100%

At the Suffix level:

            ====================

            Check existing values:

            dsconf get-suffix-prop -P <secure port> <SUFFIX_DN>

            e.g

            dsconf get-suffix-prop -P 2466 dc=ca,dc=com

            You can then modify the suffix properties as below :

            Modify suffix Properties:

            dsconf set-suffix-prop -P <secure port> <SUFFIX_DN> PROP:VALUE

            e.g.

            dsconf set-suffix-prop -P 2466 dc=ca,dc=com entry-cache-mode:manual

            You can consider modifying following properties based on your need:

      • entry-cache-mode
      • entry-cache-count
      • entry-cache-size

 

            At the Server level:

            ====================

            You can change these settings also at the server level using following command:

            ./dsconf get-server-prop

            ./dsconf set-server-prop

 

2. Configure "nsslapd-allidsthreshold" attribute ,

This attribute defines a threshold to limit the length of an index list. The threshold is called the index list threshold. If the number of entries in the list for a particular key exceeds the index list threshold, an un-indexed search is performed. The value of the nsslapd-allidsthreshold attribute can be configured globally for a Directory Server instance, or can be configured for a suffix, or can be configured for an index type. If the value of the nsslapd-allidsthresholdattribute is configured globally for a suffix, it can then be changed for a specific index. You must rebuild all indexes after you change the nsslapd-allidsthreshold attribute.


You will want to increase the value to accommodate large number of entries based on how big is your policy store.

Consider setting it to 20,000 (or higher depending on your need)

Default value : 4000

 

How to determine an appropriate value for the "nsslapd-allidsthreshold"

==============================================================

Following article describes a practical way to determine the value for nsslapd-allidsthreshold

http://docs.oracle.com/cd/E19313-01/817-7609/indexing.html

 

Changing the Index List Threshold Size

 

Good values for nsslapd-allidsthreshold typically fall in a range around 5 percent of the total number of entries in the directory. For example, the default value of 4000 is generally right for Directory Server instances handling 80,000 entries or less. You may decide to set the value significantly higher than 5 percent of the total if you expect to add large numbers of entries to the directory in the near term, or if you expect the directory to grow considerably. You may also decide to set the threshold differently on consumer replicas supporting many searches than on masters supporting almost only writes. If you plan to initialize a large directory from LDIF in the near term, you may even choose to adjust the value for nsslapd-allidsthreshold just before initialization, as each change to the value of this attribute requires that all indexes be rebuilt. Finally, you may choose to set this value quite high in directories with deeply hierarchical DITs, so searches for all entries below a given branch are indexed. In any case, avoid setting the all IDs threshold very high (above 50,000) even for very large deployments unless you have a good, specific reason for doing so.”

 

So the rule of thumb f is to set it to a value  = 5 % of total no of entries under the suffix for which it is being set. But this has to be adjusted based on some *special* scenario as described above.

 

 

3. Possibly consider the following SunOne parameter: nsslapd-search-tune

This attribute specifies that Directory Server should skip the double-check it normally does to verify that search results returned include the most current version of the entry content, even if the entry has been modified during the search.  This double-check verification involves testing the search filter against each entry to return in response to the search.

Allowing Directory Server to skip the filter test when the search involves complex filters and large static groups can result in significant performance improvement.

 

Recommendation : Set it to 59.


References :

  1. https://support.ca.com/cadocs/0/CA%20SiteMinder%20r12%20SP3-ENU/Bookshelf_Files/HTML/idocs/1208200.html#o1195577
  2. https://support.ca.com/cadocs/0/CA%20SiteMinder%20r12%205-ENU/Bookshelf_Files/HTML/idocs/1520581.html#o1520765
  3. http://docs.oracle.com/cd/E19693-01/819-0986/6n3chgltd/index.html
  4. http://docs.oracle.com/cd/E20295_01/html/821-1224/nsslapd-allidsthreshold-5dsconf.html

Statistics
0 Favorited
2 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Oct 06, 2016 04:41 AM

More information on the cache bug reported on Sun-Directory-Server/11.1.1.7.0

 

check your Policy Store logs, and if you can see those
errors :

DEBUG - conn=-1 op=-1 msgId=-1 -  ancestorid BAD 13120, err=-666 Unknown error: -666

https://community.oracle.com/thread/3577480

that means that the indexing isn't working properly because of
an internal ODSEE 11.1.1.7.0 problem which is fixed in 11.1.1.7.1 :

Table 2 Issues Resolved in Release 11g Release 1 (11.1.1.7.1)
16737497 DSCONF REINDEX SUFFIX BREAKS ANCESTORID INDEX

http://docs.oracle.com/cd/E29127_01/doc.111170/e58086/toc.htm

Aug 18, 2016 11:33 AM

Hi Ujwol,

 

We are trying to apply tuning to policy store by following given steps. We are seeing below error while runing given commands. Please check and let us know what is the reason.

 

./smldapsetup ldmod
-f/siteminder/xps/db/OracleDirectoryServerBrowse.ldif -v

The command error is saying its
already exist like that.

mode:       
ldmod

host:        0.0.0.0

port:       
3898 0.0.0.0:3898

root:       
o=comp.com

admindn:    
cn=admin

adminpw:    
{RC2}5K8vumBJ1w8I334T9/AntcEGbsuJaADp (encrypted)

ldif:       
/siteminder/xps/db/OracleDirectoryServerBrowse.ldif

tool:       
smldapmodify

ssl:        
0

certdb:

--------------- Verifying LDAP
settings ---------------

Directory Server:
'Sun-Directory-Server/11.1.1.7.0 B2013.0109.2015' (9)

Creating SiteMinder policy
branch under root DN 'o=comp.com...

Creating SiteMinder LDAP schema
from
'siteminder/xps/db/OracleDirectoryServerBrowse.ldif'
using 'smldapmodify'...

smldapmodify -h 0.0.0.0 -p
3898 0.0.0.0:3898 -D cn=admin-w <(password)> -c -f
/siteminder/xps/db/OracleDirectoryServerBrowse.ldif -i
UTF-8 -v

smldapmodify: started Thu Jul 28
11:58:50 2016

ldap_init( 0.0.0.0, 3898 )

ldap_simple_bind: Success

add objectClass:


      top

      
vlvSearch

add cn:

      
Browsing XPS

add vlvBase:

      
ou=xps,ou=PolicySvr4,ou=siteminder,ou=netegrity,o=comp.com

add vlvScope:

      
1

add vlvFilter:

      
(&(xpsNumber=*)(!(xpsTombstone=*)))

adding new entry
cn=xps_browsing_index,cn=PolicySvr4,cn=ldbm database,cn=plugins,cn=config

ldap_add: Already exists

 

add objectClass:

      
top

      
vlvIndex

add cn:

      
Sort xpsSortKey

add vlvSort:

      
xpsSortKey

adding new entry cn=Sort
xpsSortKey,cn=xps_browsing_index,cn=PolicySvr4,cn=ldbm
database,cn=plugins,cn=config

ldap_add: Already exists

 

add objectClass:

      
top

      
vlvSearch

add cn:

      
xps_housekeep_index

add vlvBase:

      
ou=xps,ou=PolicySvr4,ou=siteminder,ou=netegrity,o=comp.com

add vlvScope:

      
1

add vlvFilter:

      
(&(objectClass=xpsObject)(|(xpsCategory=2)(xpsCategory=3)))

adding new entry
cn=xps_housekeep_index,cn=PolicySvr4,cn=ldbm database,cn=plugins,cn=config

ldap_add: Already exists

 

add objectClass:

      
top

      
vlvIndex

add cn:

      
Sort modifyTimestamp

add vlvSort:

      
modifyTimestamp

adding new entry cn=Sort
modifyTimestamp,cn=xps_housekeep_index,cn=PolicySvr4,cn=ldbm
database,cn=plugins,cn=config

ldap_add: Already exists

smldapmodify returned 17408

LDAPError: 17408. LDAP error 17408.
Unknown Error

Unable to create SiteMinder LDAP
schema

 

Then afterwards we tried below commands on LDAP direcotry server and seeing error.

 

./dsadm reindex -bl -t "Sort xpsSortKey" Instance_Path policysvr4

[26/Jul/2016:22:39:07 -0400] - DEBUG - conn=-1 op=-1 msgId=-1 - ERROR: Could not find backend 'policysvr4'.

Command /appbin/b2cpol/dsee7/lib/64/ns-slapd db2index -D /appbin/b2cpol/dsee7/slapd-pol -n policysvr4 -T Sort xpsSortKey failed: error 1

Failed to generated indexes: error 1

1. dsadm reindex -b -t xpsNumber -t xpsValue -t xpsSortKey -t xpsCategory -t xpsParameter -t xpsIndexedObject -t xpsTombstone instance_path policysvr4

./dsadm reindex -b -t xpsNumber -t xpsValue -t xpsSortKey -t xpsCategory -t xpsParameter -t xpsIndexedObject -t xpsTombstone /appbin/b2cpol/dsee7/slapd-pol/ policysvr4

[26/Jul/2016:22:40:49 -0400] - DEBUG - conn=-1 op=-1 msgId=-1 - ERROR: Could not find backend 'policysvr4'.

Command /appbin/b2cpol/dsee7/lib/64/ns-slapd db2index -D /appbin/b2cpol/dsee7/slapd-pol -n policysvr4 -t xpsNumber -t xpsValue -t xpsSortKey -t xpsCategory -t xpsParameter -t xpsIndexedObject -t xpsTombstone failed: error 1

Failed to generated indexes: error 1

2. dsadm start Instance_Path

./dsadm start /appbin/b2cpol/dsee7/slapd-pol/

Directory Server instance '/appbin/b2cpol/dsee7/slapd-pol' started: pid=20651

 

Please let us know why we are seeing these errors here.

 

Thanks in advance.

 

Regards,

Rudra

 

 

Sep 18, 2014 02:47 AM

Hi,

 

Also, here are a sample of fast tracks command line in order to tune the Oracle Directory Server when running on Linux. You do this once you have fully initialized the Policy Store according to the documentation. Obviously, you should adapt the paths, IP addresses, ports and values to your environment.

 

// Go to the Oracle Directory Server installation binary directory :

 

# cd /opt/dsee7/bin

 

// Check the cache configuration, in this illustration, it is at 32Mb

# ./dsconf get-server-prop -h10.130.248.143 -p389 db-cache-size

Enter "cn=Directory Manager" password:

db-cache-size :  32M

 

// Make the cache setting modifyable

# ./dsconf set-suffix-prop -h10.130.248.143 -p389 "ou=Netegrity,dc=training,dc=com"  entry-cache-mode:manual

 

// Increase the case object amount to 100000

# ./dsconf set-suffix-prop -h10.130.248.143 -p389 "ou=Netegrity,dc=training,dc=com" entry-cache-count:100000

 

// Increase the size of the cache to 1Gb

# ./dsconf set-suffix-prop -h10.130.248.143 -p389 "ou=Netegrity,dc=training,dc=com" entry-cache-size:1024M

 

// Check that the changes has been applied

# ./dsconf get-suffix-prop -h10.130.248.143 -p389 "ou=Netegrity,dc=training,dc=com" entry-cache-count entry-cache-size

Enter "cn=Directory Manager" password:

entry-cache-count :  100000

entry-cache-size :  1G

 

// Modify the ids threashold to increase the number of entries matching the index key

# ./dsconf set-server-prop -h10.130.248.143 -p389 all-ids-threshold:40000

Enter "cn=Directory Manager" password:

Reindex all suffixes for changes to take effect.

 

// Re-index the Policy Store

./dsconf reindex -h 10.130.248.143 -p 389 -e "ou=Netegrity,dc=training,dc=com"

 

// Re-index the XPS Store (you will need to stop the Policy Store)

./dsadm reindex -bl -t "Sort xpsSortKey" /opt/dsee7/local/ps1252 PolicySvr4

./dsadm reindex -bl -t "Sort modifyTimestamp" /opt/dsee7/local/ps1252 PolicySvr4

Sep 18, 2014 12:25 AM

instruction on how to check or set the "nsslapd-allidsthreshold" would be helpful to add.

From google search, it can be found in the dse.ldif file.

Modifying the dse.ldif File (Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide)

instance-path/config/dse.ldif

Awesome work!

Related Entries and Links

No Related Resource entered.