The password verifier profiles enabled out of box control the generation of certain password verifiers required by Oracle products like Enterprise User Security and Oracle Collaboration Suite. If Oracle Internet Directory is not being deployed for other Oracle products, you can disable all the password verifier profiles. You can disable password policies and password verifiers by using Oracle Directory Services Manager or ldapmodify.
Configuring the entry cache provides benefits if, and only if, all or most entries can be cached. The server entry cache is beneficial for small directory deployments only. Some of the tuning recommendations here contradict the tuning recommendations in the earlier sections.
Review the applicability of entry cache to a given deployment and incorporate the tuning mentioned in this section only if all considerations enumerated here are met. One of the key benefits of using the entry cache is that the LDAP search operations with base scope are about five times as fast. This applies only when all or most entries can be cached. A cache miss is more expensive than disabling the entry cache.
You can configure and optimize the server entry cache by setting the values shown in Table To determine the optimal setting for this attribute, use the number of entries in the Directory Information Tree and multiply by the average entry size. If the size of the largest group entry or entry with binary value is 10M, you would set orclecachemaxentsize to 10,, Result set cache is an Oracle 11g OID feature that allows complete result sets to be stored in memory.
If a SQL query is executed and its result set is in the cache then almost the entire overhead of the SQL execution is avoided: this includes parse time, logical reads, physical reads and any cache contention overhead latches for instance that might normally be incurred. Such queries are repeated by the application every time a user logins or uses the application.
The result set of such queries may be a single entry. Performance may be affected as OID makes a trip to the database for the entry each time the query is run. OID evaluates the filter without making a trip to the database and therefore reduces the load on the database. Note that the result set cache database parameter can be configured on the client side or server side. When the server side cache is enabled, the result set cache can consume a significant amount of database memory and OID performance may be impacted.
Performance improved by 3 to 5 times when compared to performance when result set cache is not used. Note that any change to the following configuration attributes requires a restart of OID server all the instances.
Multi valued attribute, Value contains the name of the Attribute. Typically these attributes are not modified for the life of the entry. The instance-specific configuration entry attributes orcloptrackmaxtotalsize and orcloptracknumelemcontainers control how much memory is used for security event tracking. The attribute orcloptrackmaxtotalsize specifies the maximum number of bytes of RAM that security events tracking can use for each type of operation.
If the Directory Server exceeds this limit for information collected for an operation, the server stops collecting new information and records appropriate messages in server log files. For the compare operation, the Directory Server uses twice the value of the attribute, which is the combined amount of information about users performing compare operation and users whose passwords are being compared.
The default value of orcloptrackmaxtotalsize is Bytes, which should be sufficient for most deployments. It can be increased to MB. For information about modifying orcloptrackmaxtotalsize , see the instance-specific configuration attribute examples in "Setting System Configuration Attributes by Using ldapmodify" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
The attribute orcloptracknumelemcontainers allows you to choose the number of in-memory cache containers to be allocated for security event tracking in the Oracle Internet Directory server. There are two subtypes for this attribute. They are 1stlevel and 2ndlevel. The 1stlevel subtype is for setting the number of in-memory cache containers for storing information about users performing operations.
The 2ndlevel subtype, which is applicable only to compare operation, sets the number of in-memory cache containers for information about the users whose user password is compared and tracked when detailed compare operation statistics is programmed. The default value of both subtypes is The appropriate values for these subtypes depend on the number of users in your environment and the number of applications used to access the directory, as follows:.
In a deployment where several applications perform operations on behalf of a large number of end users, set 1stlevel proportional to the number of applications, plus a few hundred more for end users directly accessing the directory. Then set 2ndlevel proportional to the number of end users.
In a deployment where end users themselves perform the operations, set 1stlevel proportional to the number of end users, then set 2ndlevel to a small value, such as A typical proportional value is one fifth. Proportions between one tenth and one half are reasonable in most environments. If your deployment requires it, set the values for orcloptracknumelemcontainers only when security events collection is turned on. This section describes attributes that can sometimes improve performance, but are considered low-priority.
The attribute orclsizelimit controls the maximum number of entries to be returned by a search. The default value is Setting it very high impacts server performance. It also plays a role in limiting the maximum number of changelogs the replication server can process at a time.
The instance-specific subentry attribute orclenablegroupcache controls whether privilege groups and ACL groups are cached. Using this cache can improve the performance of access control evaluation for users. Use the group cache when a privilege group membership does not change frequently. If a privilege group membership does change frequently, then it is best to turn off the group cache. It is important to note that computing a group cache may affect performance.
The default is 1 enabled. Change to 0 zero to disable. When an LDAP client initiates an operation, then does not respond to the server for a configured number of seconds, the server c loses the connection.
The number of seconds is controlled by the orclnwrwtimeout attribute of the instance-specific configuration entry. The default is 30 seconds. You can modify orclnwrwtimeout by using Fusion Middleware Control or the command line. This section describes some specific use cases that require additional tuning, in addition to Section If you are planning a large bulkload operation, make the following changes:.
Increase the database temporary tablespace before loading a large number entries. You need about 1G of temporary tablespace per million entries being loaded. You can free up the tablespace after the operation. If you are planning a large bulkdelete operation, perform the following tasks:.
This can provide additional performance benefit. Follow the recommendations about redo logs and undo tablespace in the next section, Section If you have a high LDAP write operations load, or if you perform many bulkdelete operations, consider tuning the following values:.
Increase the size or number of the database redo log files so that the total size is MB. Other considerations affect the total size of redo logs. Depending on how the disks are configured, it might be beneficial to isolate the redo log files to a dedicated set of disks.
Increase the undo tablespace size by adding data files to this tablespace. For most deployments, GB should suffice. Do not use the Oracle Internet Directory server entry cache. Table summarizes the redo log and undo tablespace recommendations provided in this section. Searches for group entries with several thousand attribute values for either the member or uniquemember attribute can have high latency.
If you find the latency unacceptably high, there are steps you can take to reduce it. The simplest step is to reduce the number of attributes you are searching for. If you do not need to retrieve all the attributes of the group entry, specify required attributes in the search request to optimize the latency. If you still see unacceptable latency, even with required attributes specified, then you can try to cache the large group entry in the entry cache.
To do this, increase the value of the orclEcacheMaxEntSize attribute in the instance-specific configuration entry:. If you expect frequent updates to large groups, then do not use this tuning methodology. Use the Entry Cache Disabled Configuration. If a given attribute has very different response times depending on its value, then the attribute is said to be skewed. You can uniform the response times for searches for such an attribute by adding it as a value of the orclskewedattribute attribute, which is in the DSA configuration entry.
By default, the objectclass attribute is listed as a value in the orclskewedattribute attribute. You can change the value of orclskewedattribute by using or ldapmodify.
Section 1. Beginning with version Do not modify this attribute. It must be present for Oracle Internet Directory The older attribute orcldirectoryversion still exists, but it is no longer updated to indicate the Oracle Internet Directory version. Skip Headers. It includes the following topics: Section See Also: Note For example, the Logout link might not be displayed. If this causes problems, upgrade to Internet Explorer 8 or 9 or use a different browser.
It includes the following topic: Section Modify the following line: fi This command path is not already provided in the existing root. Specifically, the instructions do not work unless the new consumer node is empty. For example: -P "" If you are using -Q , when prompted for the password, hit Enter.
See Also: Section 7. All rights reserved. Book List. Master Index. Contact Us. To workaround this issue, modify oracleRoot. Modify the following line:. This information is provided in Note The -P option requires you to specify a wallet password on the command line. The -Q option enables you to provide a password in response to a prompt, which is more secure than typing it on the command line. When there is no wallet password, specify the password on the command line as a null string, using quote characters.
Section 7. Section 1. Beginning with version Do not modify this attribute. It must be present for Oracle Internet Directory The older attribute orcldirectoryversion still exists, but it is no longer updated to indicate the Oracle Internet Directory version.
Skip Headers. It includes the following topics: Section Workaround Use the flag -v as the last parameter when running the ldapdelete command. See Also: Note For example, the Logout link might not be displayed. If this causes problems, upgrade to Internet Explorer 8 or 9 or use a different browser.
It includes the following topic: Section Modify the following line: fi This command path is not already provided in the existing root.
0コメント