Changing LDAP cache settings

Changing the Lightweight Directory Access Protocol (LDAP) cache settings that are used for authentication in IBM Cloud Pak® for Multicloud Management.

The LDAP cache setting parameters are listed in the following tables. For more information, see LDAP User Registry (ldapRegistry) Opens in a new tab.

Note: Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. This note is applicable only to the LDAP_ATTR_CACHE_TIMEOUT and LDAP_SEARCH_CACHE_TIMEOUT parameters.

Table 1. LDAP attribute cache properties
Parameter Description Default value
LDAP_ATTR_CACHE_ENABLED Enable or disable LDAP attribute cache. true
LDAP_ATTR_CACHE_SIZE Number of entities that can be stored in the cache. 2000
LDAP_ATTR_CACHE_SIZELIMIT Maximum number of attributes per LDAP entity that are cached. 2000
LDAP_ATTR_CACHE_TIMEOUT Maximum time that the contents of the LDAP attribute cache are available. When the specified time elapses, the LDAP attribute cache is cleared. 1200s
Table 2. LDAP search results cache properties
Parameter Description Default value
LDAP_SEARCH_CACHE_ENABLED Enable or disable LDAP search results cache. true
LDAP_SEARCH_CACHE_SIZE Number of search results that are stored in the cache. 2000
LDAP_SEARCH_CACHE_SIZELIMIT Maximum number of results that can be cached for a single LDAP search. 2000
LDAP_SEARCH_CACHE_TIMEOUT Maximum time that the contents of the search results cache are available. When the specified time elapses, the search results cache is cleared. 1200s

Changing the parameter values by using kubectl

To change the parameter values, complete the following steps:

  1. Install the Kubernetes CLI (kubectl) tool.

  2. Edit the platform-auth-idp ConfigMap.

     kubectl -n ibm-common-services edit configmap platform-auth-idp

  3. Change the following attribute values as required:

    • LDAP_ATTR_CACHE_ENABLED
    • LDAP_ATTR_CACHE_SIZE
    • LDAP_ATTR_CACHE_SIZELIMIT
    • LDAP_ATTR_CACHE_TIMEOUT
    • LDAP_SEARCH_CACHE_ENABLED
    • LDAP_SEARCH_CACHE_SIZE
    • LDAP_SEARCH_CACHE_SIZELIMIT
    • LDAP_SEARCH_CACHE_TIMEOUT

  4. Save and close the ConfigMap.

  5. Restart the auth-idp pods

     kubectl -n ibm-common-services delete pod -l k8s-app=auth-idp

  6. Wait for some time. Then, check the status of the auth-idp pods. The status must show as 4/4 Running for all the pods.

     kubectl -n ibm-common-services get pods | grep auth-idp

Changing the parameter values by using the console

  1. Log in to the OpenShift Container Platform console as a user with cluster administrator access.
  2. From the navigation menu, click Workloads > Config Maps.
  3. Search for platform-auth-idp.
  4. Click ... > Edit Config Map.
  5. Change the following attribute values as required:
    • LDAP_ATTR_CACHE_ENABLED
    • LDAP_ATTR_CACHE_SIZE
    • LDAP_ATTR_CACHE_SIZELIMIT
    • LDAP_ATTR_CACHE_TIMEOUT
    • LDAP_SEARCH_CACHE_ENABLED
    • LDAP_SEARCH_CACHE_SIZE
    • LDAP_SEARCH_CACHE_SIZELIMIT
    • LDAP_SEARCH_CACHE_TIMEOUT
  6. Click Save.
  7. From the navigation menu, click Workloads > Deployments.
  8. Locate auth-idp.
  9. Click ... > Edit Deployment. A window for editing displays.
  10. Click Save without making any change. This step is to reload the auth-idp pods with the latest ConfigMap values.
  11. Click auth-idp.
  12. Wait for some time. Then, check the status of the auth-idp pods in the Pods pane. The status of all the pods must show as 4/4 under the Ready field name.