Changing LDAP search cache variable values

Change the default values of the Lightweight Directory Access Protocol (LDAP) search cache variables.

You can change the values of the following variables:

Table 1. LDAP cache parameters
Variable Default value Description
LDAP_SEARCH_CACHE_TIMEOUT 1200 seconds The maximum time that the contents of the search results cache are available.
LDAP_SEARCH_CACHE_ENABLED true A Boolean value to indicate that the search results must be cached or not.
LDAP_SEARCH_CACHE_SIZE 2000 The number of search results that are stored in the cache.
LDAP_SEARCH_CACHE_SIZELIMIT 2000 The maximum number of results that can be cached for a single LDAP search.
LDAP_ATTR_CACHE_SIZE 2000 The number of entities that can be stored in the cache.
LDAP_ATTR_CACHE_TIMEOUT 1200 seconds The maximum time that the contents of the LDAP attribute cache are available.
LDAP_ATTR_CACHE_SIZELIMIT 2000 The maximum number of attributes per LDAP entity that are cached.
LDAP_ATTR_CACHE_ENABLED true A Boolean value to indicate that the entities must be cached or not.

For more information, see LDAP User Registry (ldapRegistry).

Follow these steps to change the variable values:

  1. Edit the platform-auth-idp configmap.

    oc -n <your-foundational-services-namespace> edit configmap platform-auth-idp
    

    The file content resembles the following code:

    # Please edit the following object. Lines beginning with a '#' will be ignored,
    # and an empty file will abort the edit. If an error occurs while saving this file will be
    # reopened with the relevant failures.
    #
    apiVersion: v1
    data:
      AUDIT_DETAIL: "false"
      AUDIT_ENABLED_IDMGMT: "false"
      AUDIT_ENABLED_IDPROVIDER: "false"
      .
      .
      LDAP_ATTR_CACHE_ENABLED: "true"
      LDAP_ATTR_CACHE_SIZE: "2000"
      LDAP_ATTR_CACHE_SIZELIMIT: "2000"
      LDAP_ATTR_CACHE_TIMEOUT: 1200s
      LDAP_SEARCH_CACHE_ENABLED: "true"
      LDAP_SEARCH_CACHE_SIZE: "2000"
      LDAP_SEARCH_CACHE_SIZELIMIT: "2000"
      LDAP_SEARCH_CACHE_TIMEOUT: 1200s
      LDAP_SEARCH_CN_ATTR_ONLY: "false"
      LDAP_SEARCH_ID_ATTR_ONLY: "false"
      LDAP_SEARCH_SIZE_LIMIT: "50"
      LDAP_SEARCH_TIME_LIMIT: "5"
      MASTER_HOST: mycluster.icp
      NODE_ENV: production
      .
      .
    "/tmp/kubectl-edit-i5ta2.yaml" 60L, 2204C
    
  2. Change the LDAP variable values, as required, and save the ConfigMap.

    After you update and save the changes, you see the following message:

    configmap "platform-auth-idp" edited
    
  3. Restart the platform-identity-provider pod.

    1. Get the platform-identity-provider pod ID.

      oc -n <your-foundational-services-namespace> get pods | grep platform-auth-service
      

      Following is a sample output of the command:

      platform-identity-provider-5b78f                        4/4     Running                3          12d
      
    2. Delete the platform-identity-provider pod.

      oc -n <your-foundational-services-namespace> delete pod platform-identity-provider-5b78f
      

      After the pod is deleted, you see the following message:

      pod "platform-identity-provider-5b78f" deleted
      

      Wait for a few minutes for the pod to restart.

    3. Verify the status of the pod.

      oc -n <your-foundational-services-namespace> get pods | grep platform-identity-provider
      

      The pod gets a new ID after restart.

      platform-identity-provider-5267t               1/4       Running     0          4m