PingDirectory

Tuning the index entry limit for large groups

The PingDirectory server uses indexes to improve database search performance and to provide consistent search rates regardless of the number of database objects stored in the directory information tree (DIT).

About this task

You can specify an index entry limit property that defines the maximum number of entries allowed to match a given index key before the server no longer maintains it.

Steps

  • When the index keys have reached the default limit of 4000, rebuild the indexes using the rebuild-index tool.

    Example:

    $ bin/rebuild-index --baseDN dc=example,dc=com --index objectclass
  • For PingDirectory server environment directories containing more than 4000 groups with the same structural object class, such as more than 4000entries, 4000 groupOfUniqueNames entries, 4000 groupOfEntries entries, or 4000 groupOfURLs entries, increase the index entry limit for the objectClass attribute so that it has a value larger than the maximum number of group entries of each type by setting the index-entry-limit property in the command line.

    For most PingDirectory server environments, the default index entry limit value of 4000 entries is sufficient. However, group-related processing might be necessary to increase the index entry limit.

    Example:

    $ bin/dsconfig set-local-db-index-prop --backend-name userRoot \
      --index-name objectClass --set index-entry-limit:175000
  • As an alternative, create a separate backend to hold these group entries so that an unindexed search in that backend yields primarily group entries.

    If you make no changes, then the internal search performed at startup to identify all groups and any user searches looking for groups of a given type can be expensive.

  • For directories in which any single user is be a member of more than 4000 static groups of the same type, increase the index entry limit for the member or uniqueMember attribute to a value larger than the maximum number of groups in which any user is a member.

    If you do not increase the limit, searches to retrieve the set of all static groups in which the user is a member can be unindexed and therefore expensive.