Maximo and LDAP : Repository performance and user synchronization
Shane Howard 270000C70V Visits (14532)
It's been awhile since my last blog post and even longer since the last one I did regarding LDAP security. Recently I've had a couple users come to me and ask why it takes time for changes made to the directory to show up in WebSphere.
If I move my user 'cn=updateuser, ou=maximo users, ou=swg, dc=mxeam13, dc=torolab, dc=ibm, dc=com' to another organization unit such as 'cn=updateuser, ou=support, ou=swg, dc=mxeam13, dc=torolab, dc=ibm, dc=com'. You won't see this change instantly in WebSphere's user repository. Basically, if I change my users location from maximo users to support, The 'Manage Users' application in WebSphere seen in the screenshot below won't reflect this chang right away.
What we expect to see and what we will see after a period of time is the change to be reflected in this application.
Now, how does this relate to Maximo? When using VMMSYNC, Maximo synchronizes from WebSphere's repositories and not the directory server itself. So if the user changes aren't shown in the view on the repository, Maximo won't pick up these changes either. If the repository updates every 10 minutes and the VMMSYNC runs every 30 minutes, it's possible the cron task just misses that update and won't be able to pick it up until the next run time.
Out of the box, WebSphere has settings which will cache the search views of the repository for a period of time, the default setting on the search is 600 seconds or every 10 minutes. This means all VMM search data will be cached and not updated for this period of time. So if you change a location or an email address of your user, expect to wait 10 minutes for WebSphere to update, then for the next run of the VMMSYNC crontask for Maximo to pull those changes into it's database (assuming the change is data that will be coming to Maximo).
The reason for this delay in the end, is performance. If you have a large user directory, you likely don't want WebSphere refreshing the data from it in real time, but to work similar to a cron task in Maximo, where the data is refreshed after a certain time period. If you do need more control over this, you can have that. WebSphere provides properties that allow you to adjust the amount of time until cached data expires, or turn off caching so the view updates in real time (this could cause performance issues).
Adjusting the cache time out
1. Log into WebSphere, expand 'Security' and click on 'Global Security'
2 Click configure beside your current realm definition (Federated Repositories)
3. Click on 'Manage Repositories, then the repository you wish to manage.
4. Under 'Additional Properties' choose ' Performance'
The cache time out below is the current time it will take from the view to update when a change is made to a user on your directory server. You can increase or decrease the timeout based on your needs. Unchecking the Cache the search results box, will show the changes in real time.
5 . Once you make any change to this screen, you will need to do a full sync of the node and restart the WebSphere services.
To read more on the WebSphere performance parameters on this page, you can head on over to the info center here. I hope this blog was useful to some and provides some guidance on LDAP performance settings in WebSphere. If you have any questions or comments feel free to post below.