IBM 4.6 6 IBM LDAP Server

Page 16 IBM Tivoli Identity Manager Performance Tuning Guide

6 IBM LDAP Server

The IBM LDAP Server is a component of the Integrated Security Services base element in z/OS R 1.6

and 1.7, not to be confused with the IBM Tivoli Directory Server released with z/OS 1.8.

The following APARs are recommended to fix insert and update failures when using IBM Tivoli Identity

Manager:

• OA14765 – Addresses LDAP deadlocks

• OA17432 – Moves DIR_MISC table to MISCTS tables pace

The LDAP Server has internal caches to allow quick access to frequently accessed entries in memory

rather than accessing the values from the disk. Better performance can be obtained by increasing the

size of the caches.

The LDAP Server allows you to control how many entries the entry cache can store but does not restrict

the size of the cache. The size of each entry in the cache is based on the number and the size of

attributes that a given LDAP entry has. Typically, many entries are users and their accounts, which have

a fairly constant size. When setting the value for the entry cache, calculate the size of the average entry

and divide that into the amount of memory used by the LDAP Server process. Users with few attributes

can generate entry sizes that are approximately 4 KB where users with more attributes can generate

entry sizes around 9k.

Determining the values

dn_cache_size – Size of the DN cache. Default value: 1000. Recommended value: 75000.

dn_to_eid_cache_size – Size of the DN to EID cache. Default value: 1000. Recommended value:

75000.

entry_cache_size – Size of the entry cache. Default value: 1000. Recommended value: 75000.

Note: The recommended values above were determined by assuming 15000 users each with 5 accounts

for a total of 75000 objects. You may need to increase this value for larger populations.

Setting the values

1) Edit

GLD.CNFOUT(SLAPDCNF)

2) Modify the dnCacheSize value to dn_cache_size.

3) Modify the dnToEidCacheSize value to dn_to_eid_cache_size.

4) Modify the entryCacheSize value to entry_cache_size.

5) Restart LDAPSRV

To ensure that IBM Tivoli Identity Manager can connect to the directory server using all available

connections, ensure the maximum number of LDAP connections is greater than the size of the LDAP

connection pool for Tivoli Identity Manager.