Changing LDAP search cache variable values

Change the default values of the Lightweight Directory Access Protocol (LDAP) search cache variables.

You can change the values of the following variables:

Table 1. LDAP cache parameters
Variable	Default value	Description
`LDAP_SEARCH_CACHE_TIMEOUT`	1200 seconds	The maximum time that the contents of the search results cache are available.
`LDAP_SEARCH_CACHE_ENABLED`	true	A Boolean value to indicate that the search results must be cached or not.
`LDAP_SEARCH_CACHE_SIZE`	2000	The number of search results that are stored in the cache.
`LDAP_SEARCH_CACHE_SIZELIMIT`	2000	The maximum number of results that can be cached for a single LDAP search.
`LDAP_ATTR_CACHE_SIZE`	2000	The number of entities that can be stored in the cache.
`LDAP_ATTR_CACHE_TIMEOUT`	1200 seconds	The maximum time that the contents of the LDAP attribute cache are available.
`LDAP_ATTR_CACHE_SIZELIMIT`	2000	The maximum number of attributes per LDAP entity that are cached.
`LDAP_ATTR_CACHE_ENABLED`	true	A Boolean value to indicate that the entities must be cached or not.

For more information, see LDAP User Registry (ldapRegistry).

Follow these steps to change the variable values:

Install the Kubernetes CLI (kubectl).

Edit the platform-auth-idp configmap.

 kubectl -n ibm-common-services edit configmap platform-auth-idp

The file content resembles the following code:

 # Please edit the following object. Lines beginning with a '#' will be ignored,
 # and an empty file will abort the edit. If an error occurs while saving this file will be
 # reopened with the relevant failures.
 #
 apiVersion: v1
 data:
   AUDIT_DETAIL: "false"
   AUDIT_ENABLED_IDMGMT: "false"
   AUDIT_ENABLED_IDPROVIDER: "false"
   .
   .
   LDAP_ATTR_CACHE_ENABLED: "true"
   LDAP_ATTR_CACHE_SIZE: "2000"
   LDAP_ATTR_CACHE_SIZELIMIT: "2000"
   LDAP_ATTR_CACHE_TIMEOUT: 1200s
   LDAP_SEARCH_CACHE_ENABLED: "true"
   LDAP_SEARCH_CACHE_SIZE: "2000"
   LDAP_SEARCH_CACHE_SIZELIMIT: "2000"
   LDAP_SEARCH_CACHE_TIMEOUT: 1200s
   LDAP_SEARCH_CN_ATTR_ONLY: "false"
   LDAP_SEARCH_ID_ATTR_ONLY: "false"
   LDAP_SEARCH_SIZE_LIMIT: "50"
   LDAP_SEARCH_TIME_LIMIT: "5"
   MASTER_HOST: mycluster.icp
   NODE_ENV: production
   .
   .
 "/tmp/kubectl-edit-i5ta2.yaml" 60L, 2204C

Change the LDAP variable values, as required, and save the ConfigMap.

After you update and save the changes, you see the following message:
```
 configmap "platform-auth-idp" edited
```

Restart the auth-idp pod.

Get the auth-idp pod ID.

kubectl -n ibm-common-services get pods | grep auth-idp

Following is a sample output of the command:

auth-idp-5b78f                        4/4     Running                3          12d

Delete the auth-idp pod.
```
kubectl -n ibm-common-services delete pod auth-idp-5b78f
```
After the pod is deleted, you see the following message:
```
pod "auth-idp-5b78f" deleted
```
Wait for a few minutes for the pod to restart.

Verify the status of the pod.

kubectl -n ibm-common-services get pods | grep auth-idp

The pod gets a new ID after restart.

auth-idp-5267t                            1/4       Running     0          4m

Verify that the LDAP variables are updated.

Get the platform-auth container ID.

docker ps | grep platform-auth

Following is a sample output:

2e5d416fe6d8        3ea9fbf2c199                          "/usr/bin/supervisor…"   12 days ago         Up 12 days                              k8s_platform-auth-service_auth-idp-5b78f_kube-system_b83319c3-2484-11e9-8d6a-00000a29093b_1

docker exec -it <container ID> bash

Following is a sample command and output:

docker exec -it 2e5d416fe6d8 bash
bash-4.4#

List the LDAP variables.

env|grep LDAP

You can see the updated value in the output.

LDAP_ATTR_CACHE_SIZE=2500
LDAP_ATTR_CACHE_ENABLED=true
LDAP_ATTR_CACHE_TIMEOUT=1200s
LDAP_ATTR_CACHE_SIZELIMIT=2000
LDAP_SEARCH_CACHE_ENABLED=true
LDAP_SEARCH_CACHE_SIZE=2000
LDAP_SEARCH_CACHE_SIZELIMIT=2000
LDAP_SEARCH_CACHE_TIMEOUT=1200s