Tech Tip – How to Tune Oracle Directory Server for Policy Store


How to Tune Oracle Directory Server for Policy Store



1. For larger policy stores, edit the following ldif file:

    policy_server_home/xps/db/OracleDirectoryServerBrowse.ldif  (or SunOneBrowse.ldif depending upon       

    SiteMinder version)

2. Replace the Root_DN shown in the following line:

    vlvBase: ou=xps,ou=PolicySvr4,ou=siteminder,ou=netegrity,Root_DN

    …with the base dn of your policy store, as shown in the following line:


3. Run the following command

   smldapsetup ldmod -fOracleDirectoryServerBrowse.ldif –v

4. Stop the database and re‑index the vlv indexes with the following commands:

   dsadm stop Instance_Path

   dsadm reindex -bl -t “Sort xpsSortKey” Instance_Path policysvr4

5. Re-index other XPS attributes:

   dsadm reindex -b -t xpsNumber -t xpsValue -t xpsSortKey -t xpsCategory -t xpsParameter -t xpsIndexedObject -t       xpsTombstone instance_path policysvr4

6. Start the directory server instance.

    dsadm start Instance_Path

Note: instance_path Specifies the path to the directory server instance functioning as the policy store. For more information about dsadm command, see your vendor–specific documentation.

Additionally, You can also have a look at the following parameters (values are given as samples. You would need to validate them with your Oracle Directory Server administrator and CA Services consultant ).

1. Make sure that the LDAP cache on the LDAP server is sized properly. You could consider increasing if at 100%

At the Suffix level:

            Check existing values:

            dsconf get-suffix-prop -P <secure port> <SUFFIX_DN>


            dsconf get-suffix-prop -P 2466 dc=ca,dc=com

            You can then modify the suffix properties as below :

            Modify suffix Properties:

            dsconf set-suffix-prop -P <secure port> <SUFFIX_DN> PROP:VALUE


            dsconf set-suffix-prop -P 2466 dc=ca,dc=com entry-cache-mode:manual

            You can consider modifying following properties based on your need:

      • entry-cache-mode
      • entry-cache-count
      • entry-cache-size

            At the Server level:

            You can change these settings also at the server level using following command:

            ./dsconf get-server-prop

            ./dsconf set-server-prop

2. Configure “nsslapd-allidsthreshold” attribute ,

This attribute defines a threshold to limit the length of an index list. The threshold is called the index list threshold. If the number of entries in the list for a particular key exceeds the index list threshold, an un-indexed search is performed. The value of the nsslapd-allidsthreshold attribute can be configured globally for a Directory Server instance, or can be configured for a suffix, or can be configured for an index type. If the value of the nsslapd-allidsthresholdattribute is configured globally for a suffix, it can then be changed for a specific index. You must rebuild all indexes after you change the nsslapd-allidsthreshold attribute.

You will want to increase the value to accommodate large number of entries based on how big is your policy store.

Consider setting it to 20,000 (or higher depending on your need)

Default value : 4000

How to determine an appropriate value for the “nsslapd-allidsthreshold”

Following article describes a practical way to determine the value for nsslapd-allidsthreshold

Changing the Index List Threshold Size

Good values for nsslapd-allidsthreshold typically fall in a range around 5 percent of the total number of entries in the directory. For example, the default value of 4000 is generally right for Directory Server instances handling 80,000 entries or less. You may decide to set the value significantly higher than 5 percent of the total if you expect to add large numbers of entries to the directory in the near term, or if you expect the directory to grow considerably. You may also decide to set the threshold differently on consumer replicas supporting many searches than on masters supporting almost only writes. If you plan to initialize a large directory from LDIF in the near term, you may even choose to adjust the value for nsslapd-allidsthreshold just before initialization, as each change to the value of this attribute requires that all indexes be rebuilt. Finally, you may choose to set this value quite high in directories with deeply hierarchical DITs, so searches for all entries below a given branch are indexed. In any case, avoid setting the all IDs threshold very high (above 50,000) even for very large deployments unless you have a good, specific reason for doing so.”

So the rule of thumb f is to set it to a value  = 5 % of total no of entries under the suffix for which it is being set. But this has to be adjusted based on some *special* scenario as described above.

3. Possibly consider the following SunOne parameter: nsslapd-search-tune

This attribute specifies that Directory Server should skip the double-check it normally does to verify that search results returned include the most current version of the entry content, even if the entry has been modified during the search.  This double-check verification involves testing the search filter against each entry to return in response to the search.

Allowing Directory Server to skip the filter test when the search involves complex filters and large static groups can result in significant performance improvement.

Recommendation : Set it to 59.

References :

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Leave a Reply

Your email address will not be published.