Chapter 7. Adjusting IdM Directory Server performance
You can tune the performance of Identity Management’s databases by adjusting LDAP attributes controlling the Directory Server’s resources and behavior.
To adjust how the Directory Server caches data, see the following procedures:
To adjust the Directory Server’s resource limits, see the following procedures:
To adjust timeouts that have the most influence on performance, see the following procedures:
To install an IdM server or replica with custom Directory Server settings from an LDIF file, see the following procedure:
7.1. Adjusting the entry cache size
Red Hat recommends using the built-in cache auto-sizing feature for optimized performance. Only change this value if you need to purposely deviate from the auto-tuned values.
The nsslapd-cachememsize attribute specifies the size, in bytes, for the available memory space for the entry cache. This attribute is one of the most important values for controlling how much physical RAM the directory server uses.
If the entry cache size is too small, you might see the following error in the Directory Server error logs in the /var/log/dirsrv/slapd-INSTANCE-NAME/errors log file:
REASON: entry too large (83886080 bytes) for the import buffer size (67108864 bytes). Try increasing nsslapd-cachememsize.
Red Hat recommends fitting the entry cache and the database index entry cache in memory.
| Default value |
|
| Valid range |
|
| Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Disable automatic cache tuning.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend config set --cache-autosize=0Display the database suffixes and their corresponding back ends.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend suffix list cn=changelog (changelog) dc=example,dc=com (userroot) o=ipaca (ipaca)
This command displays the name of the back end database next to each suffix. Use the suffix’s database name in the next step.
Set the entry cache size for the database. This example sets the entry cache for the userroot database to 2 gigabytes.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend suffix set --cache-memsize=2147483648 userrootRestart the Directory Server.
[root@server ~]# systemctl restart dirsrv.target-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
cache-memsizeto a different value, or re-enable cache auto-sizing.
Verification steps
Display the value of the
nsslapd-cachememsizeattribute and verify it has been set to your desired value.[root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=userroot,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-cachememsize nsslapd-cachememsize: 2147483648
Additional resources
- nsslapd-cachememsize in Directory Server 11 documentation
- Re-enabling entry and database cache auto-sizing.
7.2. Adjusting the database index cache size
Red Hat recommends using the built-in cache auto-sizing feature for optimized performance. Only change this value if you need to purposely deviate from the auto-tuned values.
The nsslapd-dbcachesize attribute controls the amount of memory the database indexes use. This cache size has less of an impact on Directory Server performance than the entry cache size does, but if there is available RAM after the entry cache size is set, Red Hat recommends increasing the amount of memory allocated to the database cache.
The database cache is limited to 1.5 GB RAM because higher values do not improve performance.
| Default value |
|
| Valid range |
|
| Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Disable automatic cache tuning, and set the database cache size. This example sets the database cache to 256 megabytes.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend config set --cache-autosize=0 --dbcachesize=268435456Restart the Directory Server.
[root@server ~]# systemctl restart dirsrv.target-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
dbcachesizeto a different value, or re-enable cache auto-sizing.
Verification steps
Display the value of the
nsslapd-dbcachesizeattribute and verify it has been set to your desired value.[root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-dbcachesize nsslapd-dbcachesize: 2147483648
Additional resources
- nsslapd-dbcachesize in Directory Server 11 documentation
- Re-enabling entry and database cache auto-sizing.
7.3. Re-enabling database and entry cache auto-sizing
Red Hat recommends using the built-in cache auto-sizing feature for optimized performance. Red Hat does not recommend setting cache sizes manually.
By default, the IdM Directory Server automatically determines the optimal size for the database cache and entry cache. Auto-sizing sets aside a portion of free RAM and optimizes the size of both caches based on the hardware resources of the server when the instance starts.
Use this procedure to undo custom database cache and entry cache values and restore the cache auto-sizing feature to its default values.
|
|
This settings controls how much free RAM is allocated for auto-sizing the database and entry caches. A value of |
| Default value |
|
| Valid range |
|
| Entry DN location |
|
|
|
This value sets the percentage of free memory determined by |
| Default value |
|
| Valid range |
|
| Entry DN location |
|
Prerequisites
- You have previously disabled database and entry cache auto-tuning.
Procedure
Stop the Directory Server.
[root@server ~]# systemctl stop dirsrv.targetBackup the
/etc/dirsrv/slapd-instance_name/dse.ldiffile before making any further modifications.[root@server ~]# *cp /etc/dirsrv/slapd-instance_name/dse.ldif \ /etc/dirsrv/slapd-instance_name/dse.ldif.bak.$(date "+%F_%H-%M-%S")
Edit the
/etc/dirsrv/slapd-instance_name/dse.ldiffile:Set the percentage of free system RAM to use for the database and entry caches back to the default of 10% of free RAM.
nsslapd-cache-autosize: 10Set the percentage used from the free system RAM for the database cache to the default of 25%:
nsslapd-cache-autosize-split: 25
-
Save your changes to the
/etc/dirsrv/slapd-instance_name/dse.ldiffile. Start the Directory Server.
[root@server ~]# systemctl start dirsrv.target
Verification steps
Display the values of the
nsslapd-cache-autosizeandnsslapd-cache-autosize-splitattributes and verify they have been set to your desired values.[root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-cache-autosize nsslapd-cache-autosize: *10 nsslapd-cache-autosize-split: 25
Additional resources
- nsslapd-cache-autosize in Directory Server 11 documentation
7.4. Adjusting the DN cache size
Red Hat recommends using the built-in cache auto-sizing feature for optimized performance. Only change this value if you need to purposely deviate from the auto-tuned values.
The nsslapd-dncachememsize attribute specifies the size, in bytes, for the available memory space for the Distinguished Names (DN) cache. The DN cache is similar to the entry cache for a database, but its table stores only the entry ID and the entry DN, which allows faster lookups for rename and moddn operations.
| Default value |
|
| Valid range |
|
| Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
(Optional) Display the database suffixes and their corresponding database names.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend suffix list dc=example,dc=com (userroot)
This command displays the name of the back end database next to each suffix. Use the suffix’s database name in the next step.
Set the DN cache size for the database. This example sets the DN cache to 20 megabytes.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend suffix set --dncache-memsize=20971520 userrootRestart the Directory Server.
[root@server ~]# systemctl restart dirsrv.target-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
dncache-memsizeto a different value, or back to the default of 10 MB.
Verification steps
Display the new value of the
nsslapd-dncachememsizeattribute and verify it has been set to your desired value.[root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=userroot,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-dncachememsize nsslapd-dncachememsize: 20971520
Additional resources
- nsslapd-dncachememsize in Directory Server 11 documentation
7.5. Adjusting the normalized DN cache size
Red Hat recommends using the built-in cache auto-sizing feature for optimized performance. Only change this value if you need to purposely deviate from the auto-tuned values.
The nsslapd-ndn-cache-max-size attribute controls the size, in bytes, of the cache that stores normalized distinguished names (NDNs). Increasing this value will retain more frequently used DNs in memory.
| Default value |
|
| Valid range |
|
| Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Ensure the NDN cache is enabled.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-ndn-cache-enabled Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-ndn-cache-enabled: on
If the cache is
off, enable it with the following command.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-ndn-cache-enabled=on Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "nsslapd-ndn-cache-enabled"Retrieve the current value of the
nsslapd-ndn-cache-max-sizeparameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-ndn-cache-max-size Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-ndn-cache-max-size: 20971520Modify the value of the
nsslapd-ndn-cache-max-sizeattribute. This example increases the value to41943040(40 MB).[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-ndn-cache-max-size=41943040-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
nsslapd-ndn-cache-max-sizeto a different value, or re-enable cache auto-sizing.
Verification steps
Display the new value of the
nsslapd-ndn-cache-max-sizeattribute and verify it has been set to your desired value.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-ndn-cache-max-size Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-ndn-cache-max-size: 41943040
Additional resources
- nsslapd-ndn-cache-max-size in Directory Server 11 documentation
7.6. Adjusting the maximum message size
The nsslapd-maxbersize attribute sets the maximum size in bytes allowed for an incoming message or LDAP request. Limiting the size of requests prevents some kinds of denial of service attacks.
If the maximum message size is too small, you might see the following error in the Directory Server error logs at /var/log/dirsrv/slapd-INSTANCE-NAME/errors:
Incoming BER Element was too long, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.The limit applies to the total size of the LDAP request. For example, if the request is to add an entry and if the entry in the request is larger than the configured value or the default, then the add request is denied. However, the limit is not applied to replication processes. Be cautious before changing this attribute.
| Default value |
|
| Valid range |
|
| Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Retrieve the current value of the
nsslapd-maxbersizeparameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-maxbersize Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-maxbersize: 2097152Modify the value of the
nsslapd-maxbersizeattribute. This example increases the value to4194304, 4 MB.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-maxbersize=4194304Authenticate as the Directory Manager to make the configuration change.
Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "nsslapd-maxbersize"-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
nsslapd-maxbersizeto a different value, or back to the default of2097152.
Verification steps
Display the value of the
nsslapd-maxbersizeattribute and verify it has been set to your desired value.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-maxbersize Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-maxbersize: 4194304
Additional resources
- nsslapd-maxbersize (Maximum Message Size) in Directory Server 11 documentation
7.7. Adjusting the maximum number of file descriptors
The nsslapd-maxdescriptors attribute sets the maximum, platform-dependent number of file descriptors that the Directory Server uses. File descriptors are used for client connections, log files, sockets, and other resources.
If you set the nsslapd-maxdescriptors value higher than the total number of file descriptors that the operating system allows the ns-slapd process to use, the Directory Server queries the operating system for the maximum allowable value, and then uses that value.
| Default value |
|
| Valid range |
|
| Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Retrieve the current value of the
nsslapd-maxdescriptorsparameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-maxdescriptors Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-maxdescriptors: 4096Modify the value of the
nsslapd-maxdescriptorsattribute. This example increases the value to8192.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-maxdescriptors=8192Authenticate as the Directory Manager to make the configuration change.
Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "nsslapd-maxdescriptors"-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
nsslapd-maxdescriptorsto a different value, or back to the default of4096.
Verification steps
Display the value of the
nsslapd-maxdescriptorsattribute and verify it has been set to your desired value.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-maxdescriptors Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-maxdescriptors: 8192
Additional resources
- nsslapd-maxdescriptors (Maximum File Descriptors) in Directory Server 11 documentation
7.8. Adjusting the connection backlog size
The listen service sets the number of sockets available to receive incoming connections. The nsslapd-listen-backlog-size value sets the maximum length of the queue for the sockfd socket before refusing connections.
If your IdM environment handles a large amount of connections, consider increasing the value of nsslapd-listen-backlog-size.
| Default value |
|
| Valid range |
|
| Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Retrieve the current value of the
nsslapd-listen-backlog-sizeparameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-listen-backlog-size Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-listen-backlog-size: 128Modify the value of the
nsslapd-listen-backlog-sizeattribute. This example increases the value to192.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-listen-backlog-size=192Authenticate as the Directory Manager to make the configuration change.
Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "nsslapd-listen-backlog-size"
Verification steps
Display the value of the
nsslapd-listen-backlog-sizeattribute and verify it has been set to your desired value.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-listen-backlog-size Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-listen-backlog-size: 192
Additional resources
- nsslapd-listen-backlog-size) in Directory Server 11 documentation
7.9. Adjusting the maximum number of database locks
Lock mechanisms control how many copies of Directory Server processes can run at the same time, and the nsslapd-db-locks parameter sets the maximum number of locks.
Increase the maximum number of locks if if you see the following error messages in the /var/log/dirsrv/slapd-instance_name/errors log file:
libdb: Lock table is out of available locks| Default value |
|
| Valid range |
|
| Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Retrieve the current value of the
nsslapd-db-locksparameter and make a note of it before making any adjustments, in case it needs to be restored.[root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-db-locks nsslapd-db-locks: 50000Modify the value of the
locksattribute. This example doubles the value to100000locks.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend config set --locks=100000Authenticate as the Directory Manager to make the configuration change.
Enter password for cn=Directory Manager on ldap://server.example.com: Successfully updated database configurationRestart the Directory Server.
[root@server ~]# systemctl restart dirsrv.target
Verification steps
Display the value of the
nsslapd-db-locksattribute and verify it has been set to your desired value.[root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config" | grep nsslapd-db-locks nsslapd-db-locks: 100000
Additional resources
- nsslapd-db-locks in Directory Server 11 documentation
7.10. Adjusting the input/output block timeout
The nsslapd-ioblocktimeout attribute sets the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.
Lower the value of the nsslapd-ioblocktimeout attribute to free up connections sooner.
| Default value |
|
| Valid range |
|
| Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Retrieve the current value of the
nsslapd-ioblocktimeoutparameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-ioblocktimeout Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-ioblocktimeout: 10000Modify the value of the
nsslapd-ioblocktimeoutattribute. This example lowers the value to8000.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-ioblocktimeout=8000Authenticate as the Directory Manager to make the configuration change.
Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "nsslapd-ioblocktimeout"-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
nsslapd-ioblocktimeoutto a different value, or back to the default of10000.
Verification steps
Display the value of the
nsslapd-ioblocktimeoutattribute and verify it has been set to your desired value.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-ioblocktimeout Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-idletimeout: 8000
Additional resources
- nsslapd-ioblocktimeout (IO Block Time Out) in Directory Server 11 documentation
7.11. Adjusting the idle connection timeout
The nsslapd-idletimeout attribute sets the amount of time in seconds after which an idle LDAP client connection is closed by the IdM server. A value of 0 means that the server never closes idle connections.
Red Hat recommends adjusting this value so stale connections are closed, but active connections are not closed prematurely.
| Default value |
|
| Valid range |
|
| Entry DN location |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Retrieve the current value of the
nsslapd-idletimeoutparameter and make a note of it before making any adjustments, in case it needs to be restored. Enter the Directory Manager password when prompted.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-idletimeout Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-idletimeout: 3600Modify the value of the
nsslapd-idletimeoutattribute. This example lowers the value to1800(30 minutes).[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-idletimeout=1800Authenticate as the Directory Manager to make the configuration change.
Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "nsslapd-idletimeout"-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
nsslapd-idletimeoutto a different value, or back to the default of3600.
Verification steps
Display the value of the
nsslapd-idletimeoutattribute and verify it has been set to your desired value.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-idletimeout Enter password for cn=Directory Manager on ldap://server.example.com: nsslapd-idletimeout: 3600
Additional resources
- nsslapd-idletimeout (Default Idle Timeout) in Directory Server 11 documentation
7.12. Adjusting the replication release timeout
An IdM replica is exclusively locked during a replication session with another replica. In some environments, a replica is locked for a long time due to large updates or network congestion, which increases replication latency.
You can release a replica after a fixed amount of time by adjusting the repl-release-timeout parameter. Red Hat recommends setting this value between 30 and 120:
- If the value is set too low, replicas are constantly reacquiring one another and replicas are not able to send larger updates.
-
A longer timeout can improve high-traffic situations where it is best if a server exclusively accesses a replica for longer amounts of time, but a value higher than
120seconds slows down replication.
| Default value |
|
| Valid range |
|
| Recommended range |
|
Prerequisites
- The LDAP Directory Manager password
Procedure
Display the database suffixes and their corresponding back ends.
[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com backend suffix list cn=changelog (changelog) dc=example,dc=com (userroot) o=ipaca (ipaca)
This command displays the names of the back end databases next to their suffix. Use the suffix name in the next step.
Modify the value of the
repl-release-timeoutattribute for the main userroot database. This example increases the value to90seconds.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com replication set --suffix="dc=example,dc=com" --repl-release-timeout=90Authenticate as the Directory Manager to make the configuration change.
Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "repl-release-timeout"(Optional) If your IdM environment uses the IdM Certificate Authority (CA), you can modify the value of the
repl-release-timeoutattribute for the CA database. This example increases the value to90seconds.[root@server ~]# dsconf -D "cn=Directory Manager" ldap://server.example.com replication set --suffix="o=ipaca" --repl-release-timeout=90 Enter password for cn=Directory Manager on ldap://server.example.com: Successfully replaced "repl-release-timeout"
Restart the Directory Server.
[root@server ~]# systemctl restart dirsrv.target-
Monitor the IdM directory server’s performance. If it does not change in a desirable way, repeat this procedure and adjust
repl-release-timeoutto a different value, or back to the default of60seconds.
Verification steps
Display the value of the
nsds5ReplicaReleaseTimeoutattribute and verify it has been set to your desired value.[root@server ~]# ldapsearch -D "cn=directory manager" -w DirectoryManagerPassword -b "cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" | grep nsds5ReplicaReleaseTimeout nsds5ReplicaReleaseTimeout: 90
The Distinguished Name of the suffix in this example is dc=example,dc=com, but the equals sign (=) and comma (,) must be escaped in the ldapsearch command.
Convert the suffix DN to cn=dc\3Dexample\2Cdc\3Dcom with the following escape characters:
-
\3Dreplacing= -
\2Creplacing,
Additional resources
- nsDS5ReplicaReleaseTimeout in Directory Server 11 documentation
7.13. Installing an IdM server or replica with custom database settings from an LDIF file
You can install an IdM server and IdM replicas with custom settings for the Directory Server database. The following procedure shows you how to create an LDAP Data Interchange Format (LDIF) file with database settings, and how to pass those settings to the IdM server and replica installation commands.
Prerequisites
- You have determined custom Directory Server settings that improve the performance of your IdM environment. See Adjusting IdM Directory Server performance.
Procedure
Create a text file in LDIF format with your custom database settings. Separate LDAP attribute modifications with a dash (-). This example sets non-default values for the idle timeout and maximum file descriptors.
dn: cn=config changetype: modify replace: nsslapd-idletimeout nsslapd-idletimeout=1800 - replace: nsslapd-maxdescriptors nsslapd-maxdescriptors=8192
Use the
--dirsrv-config-fileparameter to pass the LDIF file to the installation script.To install an IdM server:
# ipa-server-install --dirsrv-config-file filename.ldifTo install an IdM replica:
# ipa-replica-install --dirsrv-config-file filename.ldif
Additional resources
