Changing LDAP search cache variable values

Change the default values of the Lightweight Directory Access Protocol (LDAP) search cache variables.

You can change the values of the following variables:

Table 1. LDAP cache parameters
Variable Default value Description
LDAP_SEARCH_CACHE_TIMEOUT 1200 seconds The maximum time that the contents of the search results cache are available.
LDAP_SEARCH_CACHE_ENABLED true A Boolean value to indicate that the search results must be cached or not.
LDAP_SEARCH_CACHE_SIZE 2000 The number of search results that are stored in the cache.
LDAP_SEARCH_CACHE_SIZELIMIT 2000 The maximum number of results that can be cached for a single LDAP search.
LDAP_ATTR_CACHE_SIZE 2000 The number of entities that can be stored in the cache.
LDAP_ATTR_CACHE_TIMEOUT 1200 seconds The maximum time that the contents of the LDAP attribute cache are available.
LDAP_ATTR_CACHE_SIZELIMIT 2000 The maximum number of attributes per LDAP entity that are cached.
LDAP_ATTR_CACHE_ENABLED true A Boolean value to indicate that the entities must be cached or not.

For more information, see LDAP User Registry (ldapRegistry).

Follow these steps to change the variable values:

  1. Install the Kubernetes CLI (kubectl).

  2. Edit the platform-auth-idp configmap.

     kubectl -n ibm-common-services edit configmap platform-auth-idp

    The file content resembles the following code:

     # Please edit the following object. Lines beginning with a '#' will be ignored,
     # and an empty file will abort the edit. If an error occurs while saving this file will be
     # reopened with the relevant failures.
     apiVersion: v1
       AUDIT_DETAIL: "false"
       AUDIT_ENABLED_IDMGMT: "false"
       LDAP_ATTR_CACHE_SIZE: "2000"
       LDAP_SEARCH_CN_ATTR_ONLY: "false"
       LDAP_SEARCH_ID_ATTR_ONLY: "false"
       MASTER_HOST: mycluster.icp
       NODE_ENV: production
     "/tmp/kubectl-edit-i5ta2.yaml" 60L, 2204C
  3. Change the LDAP variable values, as required, and save the ConfigMap.

    After you update and save the changes, you see the following message:

     configmap "platform-auth-idp" edited
  4. Restart the auth-idp pod.

    1. Get the auth-idp pod ID.

      kubectl -n ibm-common-services get pods | grep auth-idp

      Following is a sample output of the command:

      auth-idp-5b78f                        4/4     Running                3          12d
    2. Delete the auth-idp pod.

      kubectl -n ibm-common-services delete pod auth-idp-5b78f

      After the pod is deleted, you see the following message:

      pod "auth-idp-5b78f" deleted

      Wait for a few minutes for the pod to restart.

    3. Verify the status of the pod.

      kubectl -n ibm-common-services get pods | grep auth-idp

      The pod gets a new ID after restart.

      auth-idp-5267t                            1/4       Running     0          4m
  5. Verify that the LDAP variables are updated.

    1. Get the platform-auth container ID.

      docker ps | grep platform-auth

      Following is a sample output:

      2e5d416fe6d8        3ea9fbf2c199                          "/usr/bin/supervisor…"   12 days ago         Up 12 days                              k8s_platform-auth-service_auth-idp-5b78f_kube-system_b83319c3-2484-11e9-8d6a-00000a29093b_1
    2. Log in to the platform-auth container.

      docker exec -it <container ID> bash

      Following is a sample command and output:

      docker exec -it 2e5d416fe6d8 bash
    3. List the LDAP variables.

      env|grep LDAP

      You can see the updated value in the output.