Tuning the access to the LDAP server

Configure the pooling parameters to improve the performance of concurrent access to an LDAP server.

Virtual member manager supports two pooling mechanisms for LDAP repositories:

  • Connection pooling
  • Context pooling

Connection pooling

The connection pooling mechanism is provided by the Java Runtime Environment (JRE) at the Java Naming and Directory Interface (JNDI) layer.

Follow these steps to enable or disable connection pooling for each LDAP repository configured in virtual member manager:
  1. In the WebSphere Application Server administrative console, click Security > Global Security.
  2. Under User account repository, select Federated repositories from the Available realm definitions field and click Configure.
    Note: To configure for a specific domain in a multiple security domain environment, click Security domains > domain_name. Under Security Attributes, expand User Realm, and click Customize for this domain. Select the Realm type as Federated repositories and then click Configure.
  3. Under Related items click Manage repositories > repository_name.
  4. On the panel that appears, under Additional properties, click Performance.
  5. Select or clear the Use connection pooling option.

After you enable connection pooling, use the connection pooling settings to specify how the JNDI layer handles pooling. In the administrative console, use the Application servers > server_name > Process definition > Java Virtual Machine page to configure Java virtual machine (JVM) settings and specify the Generic JVM arguments. For information about accessing this page, read Configuring the JVM.

These settings affect all applications running on the server, not just virtual member manager. For more information about the properties used by the JNDI layer to configure the pool settings, read about Connect Pooling Configuration (http://java.sun.com/products/jndi/tutorial/ldap/connect/config.html) on the Sun website.

Context pooling

Virtual member manager uses the context pooling mechanism to improve the performance of concurrent access to an LDAP server.

Context pooling works at a higher level than connection pooling. Each context entry in the context pool corresponds to a socket connection to the LDAP server. The bind credentials used by this pool are specified when configuring the LDAP repository.

Follow these steps to enable or disable connection pooling for each LDAP repository configured in virtual member manager:
  1. In the WebSphere Application Server administrative console, click Security > Global Security.
  2. Under User account repository, select Federated repositories from the Available realm definitions field and click Configure.
    Note: To configure for a specific domain in a multiple security domain environment, click Security domains > domain_name. Under Security Attributes, expand User Realm, and click Customize for this domain. Select the Realm type as Federated repositories and then click Configure.
  3. Under Related items click Manage repositories > repository_name.
  4. On the panel that appears, under Additional properties, click Performance.
  5. Select or clear the Enable context pool option, and specify values for the context pool parameters

For more information on configuring context pooling through the administrative console, read about Lightweight Directory Access Protocol performance settings in the WebSphere Application Server documentation.

You can also use the setIdMgrLDAPContextPool command to set the values for the context pool parameters. For more information about setting the context pooling parameters, read about the setIdMgrLDAPContextPool command of the IdMgrRepositoryConfig command group for the AdminTask object in the WebSphere Application Server documentation.

Performance tuning

As context pooling has the same benefit as connection pooling, it is not necessary to enable connection pooling. By default, connection pooling is disabled in virtual member manager.

Enabling both context and connection pools may not provide any added performance benefit, and may produce adverse effects when performing concurrent authentications.

Most operations, such as create, search, update, or delete, are performed using an available context (DirContext) from the context pool. Each context is associated with one socket connection (when connection pooling is disabled). For these operations, the maximum number of sockets that virtual member manager opens against the LDAP server does not exceed the value specified for the maximum pool size parameter.

Concurrent authentications

Virtual member manager does not use the context pool to authenticate a user. Instead, it binds with the distinguished name and password of the authenticating user. When authenticating different users, this forces the JNDI layer to create a new socket connection for each authentication. If connection pooling is disabled, the socket is closed immediately after the authentication is completed. However, if connection pooling is enabled, the socket remains open until it times out. Therefore, if your application performs concurrent authentication, you must disable connection pooling to avoid the number of sockets that virtual member manager opens against the LDAP server from exceeding the capability of the server.

The maximum socket connections that virtual member manager opens for all operations (including authentications) is the value specified in maximum pool size plus the number of concurrent authentications. For example, if 250 clients log in and perform a search simultaneously, then 250 new sockets are opened to perform the authentication, in addition to the 250 sockets that are taken from the context pool to perform the search. The total number of sockets at this time may reach 500, but after the authentications are completed, the 250 new sockets that were opened for the authentication are closed, if connection pooling is disabled. If connection pooling is enabled, the 250 new sockets remain open until they time out.

The default values for context pooling are suitable for most environments. Use the following context pool settings for performance tuning, assuming that connection pooling is disabled:

  • Initial pool size (initPoolSize): Specify a value that is less than 10.
  • Preferred pool size (prefPoolSize): Specify the number of open connections to the LDAP server that the context pool should maintain.
  • Maximum pool size (maxPoolSize): Specifying a value of 0 allows the pool to grow as needed, which is suitable for most environments. If the number of connections to the LDAP server needs to be constrained, then set Maximum pool size to less than half of the maximum number of connections that the LDAP server can handle.
  • Context pool times out (poolTimeOut): Specify the lesser of your LDAP server or firewall connection time out, if applicable.