masvi10

Configuring Support for Large LDAP Policy Stores

Discussion created by masvi10 Employee on Jul 24, 2012
Latest reply on Jul 24, 2012 by Chris_Hackett

Tuesday Tip by Vijay Masurkar, Principal Support Engineer, for 7-24-12

In SiteMinder R12 SP3 environment, if the registry setting Max AdmComm Buffersize is set to higher values, it can cause high CPU utilization on the policy server, and may even be seen as Administrative UI performance issue when policy server is too busy. To prevent such problems, you can set the values of these two registry settings with care and as recommended below.

Max AdmComm Buffer Size
------------------------------------
Specifies the Administrative UI buffer size (specifically, the maximum amount of data, in bytes, that is passed from the Policy Server to the Administrative UI in a single packet).

The Max AdmComm Buffer Size registry setting should be configured at the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServ\

The value of this setting must be set very carefully as allocation of a larger buffer results in a decrease in overall performance. Note that the value is stored in kilobytes (KB).
Range: 256 KB to 2,097,000 KB

** It is very important to note here that the increasing of the buffer size should be done by small amounts (~128k or so), as needed, and by somebody who understands the policy server performance issues.

Default: 256 KB (also applies when this registry setting does not exist).

The R12 SP3 Policy Server Administration Guide covers this in the following topic:
“Configure Support for Large LDAP Policy Stores”.

Secondly, when searching on many policy objects using the Administrative UI, the connection between the Administrative UI and the Policy Server can time out, the Policy Server tunnel buffer can become corrupt, or both. In such cases, the Administrative UI displays a connection timeout error and no search results are returned. To eliminate this problem, adjust the Administrative UI Policy Server connection timeout and create a registry key for the Policy Server tunnel buffer size.

SearchTimeout
---------------------
Specifies the search timeout, in seconds, for LDAP policy stores.

The SearchTimeout registry setting should be configured at the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion

\LdapPolicyStore\SearchTimeout

The appropriate value for this setting depends upon and can vary according to several factors including network speed, size of the LDAP search query response, the LDAP connection state, load on LDAP server, and so on. The value should be large enough to prevent LDAP timeout when fetching large amounts of policy store data from the LDAP server. The default value is 20 seconds (also applies when this registry setting does not exist).

** It is very important to note that setting of this timeout should be done carefully and as needed, and by somebody who understands the network and LDAP performance issues.

The R12 SP3 Policy Server Release Notes covers this in the following topic:
“Searches for Many Policy Objects (63721)”.

The R12 SP3 Policy Server Installation Guide covers this in the following topic:
“Search Fails with Timeout Error”.

Outcomes