Crowd 2.0 : Configuring Caching for an LDAP Directory
This page last changed on Jun 28, 2009 by smaddox.
Directory caching can be used to enable fast recurrent access to user, group and role data for a particular directory. This page describes caching that can be configured on the Crowd server, to store user and group information from a Crowd-connected LDAP directory. For an overview of the other types of caching offered by Crowd, please refer to Overview of Caching. On this page: Features of LDAP Caching in CrowdWhere the LDAP directory supports it, Crowd will keep an up-to-date cache of user, group and role information retrieved from the LDAP directory. Use of the cache should improve performance particularly in directories which are large, slow or off site. Summary of the caching features:
The diagram below gives a conceptual overview of the caches supported by Crowd, including the LDAP caching discussed on this page. For an overview of the other types of caching offered by Crowd, please refer to Overview of Caching. Supported LDAP Directories
LDAP Persistent SearchFor supported LDAP directories, Crowd monitors changes via the LDAP change notification feature known as 'persistent search'. The word 'persistent' means that the search remains active forever, once initiated. Crowd performs the initial search on the LDAP directory and receives the results. From that point on, whenever an entry in the result set is updated, the LDAP directory sends Crowd a new copy of that entry. Microsoft Active Directory Change NotificationCrowd sends a request to AD at regular intervals, asking to be notified of changes made since the last request, via the uSNChanged attribute. You can configure the time interval on Crowd's Directory Connector screen for your Active Directory. Details are in MSDN. Configuring the CacheScreen snippet: Cache Configuration for Microsoft Active Directory
Setting the Maximum Number of Elements in MemoryWhen configuring the cache, you can set the 'Max Cache Elements in Memory'. This number is proportional to the number of users/groups that can be stored in memory before overflowing to disk. If you have limited JVM memory constraints, you can set the number to a lower value. Note that loading from disk can be significantly slower than loading from memory. Crowd uses Ehcache for its cache implementation. The maximum number of elements in memory is one of the configuration settings allowed by Ehcache. Each cached directory consists of about 20 internal caches. The maximum number of elements in memory corresponds to the maximum elements per internal cache. The largest internal cache maps DNs to principals/groups/roles. Therefore the maximum number of elements in memory should approximate the sum of principals + groups + roles in the scope of your configured LDAP subtrees. We recommend leaving this value at the default 50,000 unless you experience memory problems. This setting means that if the number of principals + groups + roles exceeds 50,000, then some of the entities will overflow to a disk-based cache. We have tested with up to 8,000 users and 8,000 groups. We used 512 MB of JVM memory (-Xmx) and set the maximum number of elements in memory to 50,000. Setting the Polling Interval for Cache UpdatesWhen configuring the cache for Microsoft Active Directory, you can set the 'Polling Interval'. This is the time interval (number of seconds) that Crowd will wait between its requests for updates from AD. The length of your polling interval depends on the length of time you can tolerate stale data. If you poll more frequently, then your data will be more up to date. The downside of polling more frequently is that you may overload your AD server with requests. A good value for the polling interval would take into account the performance of your AD server and the size of the pipe between the AD server and the Crowd server. If in doubt, we recommend that you start with an interval of 5 or 10 minutes and reduce the value incrementally. You will need to experiment with your setup. You can use Crowd's performance profiling feature to see the performance of your setup. Very short and very long intervals:
Inspecting and Flushing the CacheYou can view directory information via the Directory Browser. The 'View Directory' screen allows you to:
LimitationsLimitations for All DirectoriesThe following comments apply to all directory types, including Microsoft Active Directory.
Additional Limitations for Microsoft Active DirectoryIn addition to the general limitations listed above, please take note of these comments which apply specifically to Microsoft Active Directory (AD).
Error HandlingIf Crowd detects a connection timeout or an error, Crowd will automatically flush the caches and re-start the directory monitors. To manually flush the cache and re-start the monitors, use the "Flush Cache" button. RELATED TOPICS
|
![]() |
Document generated by Confluence on Jul 30, 2009 01:29 |