Manualshelf

LDAP-UX Integration Performance and Tuning Guidelines

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
11121314151617181920
Enabling SSL has minimal impact on the performance of the LDAP-UX client because of the how LDAP-UX
maintains a semi-persistent connection to the directory server. This constant connection to the LDAP directory
server minimizes the expensive overhead of SSL connection establishment.
pwgrd
pwgrd is an HP-UX system-wide caching daemon. It supports the passwd and group name service subsystems.
This daemon is enabled by default on HP-UX, and can greatly reduce the load on the LDAP directory server. For
example, a typical login by a user generates about 16 name service requests. With pwgrd, 13 of the 16 requests are
for previously cached data. So the load on the server is reduced over 5 times.
However, pwgrd has several limitations that should be considered.
pwgrd caches data only for 45 seconds. Any request for name service data that hasn’t been cached recently will
result in a query to the LDAP server.
pwgrd caches only passwd and group data. All requests on other name services (such as hosts, netgroups,
etc…) result in a query to the LDAP server.
pwgrd only caches account and group information. Authentication information (such as when a user logs in)
cannot be cached (for security purposes.) When a user logs in, at least one ldap_bind request must be sent to
the directory server.
pwgrd has a limited caching facility. If pwgrd is used to cache a large set of entries (many different users and
groups,) pwgrd will fill up its hash entries very quickly. Once a hash bucket in pwgrd is filled up, the LDAP
server must be queried for the requested data. This limitation is demonstrated in the table below. You can
determine the effectiveness of the pwgrd cache using the pwgr_stat command (see man 1M pwgr_stat.)
pwgrd does not help when applications perform enumeration (call a getxxent() routine.)
Performance of pwgrd with large active data set
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
100 200 300 400 500
Size of active data set
Req./Sec.
Note: The “active data set” describes the number of concurrently (within the last 45 seconds)
referenced accounts/groups. The total number of accounts and groups may be much
larger. An “active data set” of more than 100 would be unusual.
pwgrd’s greatest value is to cache data that has been recently accessed. This greatly improves scalability when
activity on a single client increases. However it does not significantly reduce the load on the LDAP directory server
if there are many clients with light enough access such that entries in the cache have expired.
Page 10