®
ID204: Take Control of Your IBM Lotus Domino
Directory Infrastructure with Lotus Domino 8!
Josh Burchard
IBM Software Gr...
®
Agenda
NameLookup Logging Improvements
Directory Lint
Directory Assistance LDAP Helpers
Domino LDAP Server Performance
®
NameLookup Logging Improvements
Getting to the root of the problem
Improved NameLookup Logging: Finer Granularity
NAMELookup logging has been streamlined:
debug_namelookup=1: will continue ...
Improved NameLookup Logging: Finer Granularity
debug_namelookup=16: enables you to see LDAP Gateway logging
NAMELookup::<l...
®
Directory Lint (AKA DirLint)
Problems with directory integrity can be hard to diagnose and remedy
Background: “Directory Lint” - What a weird name
C/C++ programmers can probably nap through this slide
“Lint” is commonly ...
So what does this DirLint thing do?
Overview: Directory Lint
A tool that can be used to provide you with Domino directory
integrity
Reports inconsistencies in...
And how does DirLint do it?
DirLint: The basic flow… straightforward.
You specify one or more Domino directory databases to scan
DirLint runs tests ag...
Hold on a second!
Q: I know there’s this thing in Domino called Domino Domain Monitoring
(DDM) that flags issues… so why a...
Scan Directory Hierarchy
Using the Domino Registration Process will keep your directory crisp
and clean
Also, adding new e...
Sounds a lot like VerifyDIT, to me
You caught me!
VerifyDIT was extended to work with DirLint and:
Be a kinder, gentler in...
OK, what else? Invalid DN Syntax
Again, using Domino Registration (it’s a great tool) you shouldn’t
need to worry
BUT spec...
Invalid DN Syntax
Names added via Domino LDAP before 7.0
Example using the special ‘+’ character:
– The LDAP DN CN=This+Th...
Special Characters – Risky Business?
Our translation routines can only be so clever, and special chars that
sneak into the...
Special Characters – The Li’l Translation List
The following characters need special handling when present in an LDAP DN
l...
Special Characters - How DirLint can Help
Scans the names in your directory to find out if the special chars
from the char...
PRESENTATION DEMO WILL BE RECORDED AND
PROVIDED ONLINE
Group Member Craziness
Problems can arise whenever human input is involved - group
membership lists are no exception
Inser...
Group Members - What do I do?
Use Domino Registration when removing things that may be group
members, and you'll be ok
Run...
PRESENTATION DEMO WILL BE RECORDED AND
PROVIDED ONLINE
Cool! How do I get started?
Simple!
Type: “load dirlint -?” at the Domino server's console command line
to get an overview...
PRESENTATION DEMO WILL BE RECORDED AND
PROVIDED ONLINE
®
Directory Assistance LDAP Helpers
How Do I Integrate My Other LDAP Server Into Domino Directory Services?
Directory Assistance / Secondary LDAP Directories
A way for your Notes applications to achieve …
Internet Authentication
G...
Directory Assistance LDAP Tab
Suggest - Hostname
DNS SRV records
Per RFC 2782
(Active Directory
automatically does
this)
Server’s DNS suffix
Suggest - Base DN for Search
Domino LDAP servers
return empty search base,
denoting the root
Suggest - Type Of Search Filter
Domino LDAP (8.0) – dominoAccessGroups for group authorization
IBM Directory Server (8.0) ...
Verify - Optional Credentials
Verify - Notes DN Attribute
Review
Simplifies successful DA/LDAP configurations by suggesting and
immediately testing settings
Suggest buttons are gre...
®
Domino LDAP Search Performance
What To Do When Someone Tells You LDAP Is Slow
Two Step Approach
1. Identify - How do you determine what’s slow?
Previously, set LDAPDEBUG=1 in Notes.ini to see LDAP ser...
®
1. Identify
How do you determine what’s slow?
LDAPDEBUG=1 Peeks into Domino LDAP Server
01:12:56.00 PM LDAP> ***** Start search request processing *****
01:12:56.00 PM ...
Approaches
Previous approaches are laborious
1. Turn on LDAPDEBUG=1 Tracing or Activity Logging
2. Restart LDAP server
3. ...
LDAP.Search.Longest Statistics
> show stat ldap
LDAP.Average LDAP Search time = 0.013
LDAP.Longest LDAP Search request = B...
Decoding LDAP.Search.Longest.Pattern
basedn - where to start searching
o=klint42p ? ? sub ? (location=%v) ? timelimit=15
M...
LDAP URLs in Your Browser
LDAP.Search.Longest Statistics
It is often the search pattern, not every search instance, that
determines the overall effi...
®
2. Remedy
How do you improve slow searches?
How Domino LDAP Server Searches
View Search
For attributes in Pubnames.ntf view indices
Full Text Search
For attributes no...
View Search
01:12:56.00 PM LDAP> ***** Start search request processing *****
01:12:56.00 PM LDAP> Scope: SUBTREE
01:12:56....
View Searches
($LDAPRDNHier)(objectClass=*)base
($ServerAccess)(&(member=%v)
(objectclass=groupOfNames))
($Users) if found...
Query Results Cache’d Search
***** Start search request processing *****
Scope: SUBTREE
Dereference Aliases: 0
TimeLimit: ...
Fallback To All Search
***** Start search request processing *****
Scope: SUBTREE
Dereference Aliases: 0
TimeLimit: 15
Siz...
DDM – Directory: LDAP
Full Text Search
***** Start search request processing *****
Scope: SUBTREE
Dereference Aliases: 0
TimeLimit: 15
SizeLimit...
Group Membership and dominoAccessGroups
If you see many search patterns like this …
??sub?(&(objectclass=%v)(member=%v))
t...
Relative LDAP Search Speeds
QR Cache’d Search
All Search
View Search
Full Text Search
If DDM.nsf shows a Fallback to All S...
Miscellaneous
Notes.ini Variables
LDAPMaxLongestSearchCount - Number of sets of statistics maintained
Default is LDAPMaxLo...
Review
Identify the slowest searches using SHOW STAT LDAP command
Available since 7.0.2!
Target the slowest search pattern...
®
Closing
See Also
ID207: IBM Lotus Domino 8 Directory Deployment to Address TCO
SW 3-4, Monday 11:00-12:00
8.0 directory features
D...
®
Questions
© IBM Corporation 2007. All Rights Reserved.
The workshops, sessions and materials have been prepared by IBM or the sessio...
Lotusphere 2007: ID204 - Take Control of Your IBM Lotus Domino Directory Infrastructure with Lotus Domino 8!
Upcoming SlideShare
Loading in …5
×

Lotusphere 2007: ID204 - Take Control of Your IBM Lotus Domino Directory Infrastructure with Lotus Domino 8!

1,282 views

Published on

Where are your directory pain-points? It can be time consuming to configure, deploy and maintain a corporate directory infrastructure. In this session we'll cover the new Lotus Domino 8 directory features that will enable you to accomplish these tasks. We'll highlight Directory Lint, the new verification tool that enables admins to check directory integrity and suggest corrections. By popular demand, Directory Assistance now guides you through LDAP connection configuration and we'll show you how. Is your Lotus Domino LDAP server performance suffering? New LDAP statistics identify slow performing search patterns that your applications are sending. Last but not least, we'll touch on how tracing can help you better troubleshoot the root cause of an issue.

http://kenlin.com

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,282
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Lotusphere 2007: ID204 - Take Control of Your IBM Lotus Domino Directory Infrastructure with Lotus Domino 8!

  1. 1. ® ID204: Take Control of Your IBM Lotus Domino Directory Infrastructure with Lotus Domino 8! Josh Burchard IBM Software Group Domino Directory Team Ken Lin IBM Software Group Domino Directory Team
  2. 2. ® Agenda NameLookup Logging Improvements Directory Lint Directory Assistance LDAP Helpers Domino LDAP Server Performance
  3. 3. ® NameLookup Logging Improvements Getting to the root of the problem
  4. 4. Improved NameLookup Logging: Finer Granularity NAMELookup logging has been streamlined: debug_namelookup=1: will continue to supply information as it always has From the console: set config debug_namelookup=1 NAMELookup::<Lookup> PID:TID ( 42C: 7B) start of routine NAMELookup::<lookup> Searching name='Terri' (1 of 1 names). NAMELookup::<lookup> Searching view='$Users' (1 of 1 views). NAMELookup::<lookup> Searching DBIndex=1. NAMELookup::<lookup> from cache took 0 msecs NAMELookup::<lookup> NumReturned=1, TotalNumReturned=1 match(es) for name='Terri' NAMELookup::<NextNameDatabase> DAResolveDomain found 2 directories: TESTDIR1,NEWDIR2. NAMELookup::<NextNameDatabase> looking for directory TESTDIR1 in OPEN_NAME_COLLECTION queue for NRPC Clients. NAMELookup::<NextNameDatabase> Found directory TESTDIR1 in OPEN_NAME_COLLECTION queue, DBIndex=2. NAMELookup::<NAMELookUpDiskLookup> name='Terri' was found '1' match(es) in domain='TESTDIR1' NAMELookup::<lookup> NumReturned=1, TotalNumReturned=1 match(es) for name='Terri' NAMELookup::<lookup> DBIndex=1 specified, search is over! debug_namelookup=2: “Search mode”. Less verbosity
  5. 5. Improved NameLookup Logging: Finer Granularity debug_namelookup=16: enables you to see LDAP Gateway logging NAMELookup::<lookup> Searching name='Josh' (1 of 1 names). NAMELookup::<lookup> Searching view='$Users' (1 of 1 views). NAMELookup::<lookup> Searching DBIndex=3. NAMELookup::<NAMELookupDiskLookup> name='Josh', view='$Users', domain='NEWDIR2, db=3 01/05/2007 03:17:06.53 PM [042C:007B-1530] NAMELookup::<LDAP GW> Searching LDAPhost='[121.121.121.99]:389' anonymously, msgid='13'... 01/05/2007 03:17:06.53 PM [042C:007B-1530] NAMELookup::<LDAP GW> Attr: fullname 01/05/2007 03:17:06.53 PM [042C:007B-1530] NAMELookup::<LDAP GW> Attr: CN 01/05/2007 03:17:06.53 PM [042C:007B-1530] NAMELookup::<LDAP GW> Attr: objectClass 01/05/2007 03:17:06.53 PM [042C:007B-1530] NAMELookup::<LDAP GW> Base: 01/05/2007 03:17:06.53 PM [042C:007B-1530] NAMELookup::<LDAP GW> Scope: 2 01/05/2007 03:17:06.53 PM [042C:007B-1530] NAMELookup::<LDAP GW> Filter: (|(cn=Josh)(uid=Josh) (sn=Josh)(givenname=Josh)(mail=Josh)) 01/05/2007 03:17:06.53 PM [042C:007B-1530] NAMELookup::<LDAP GW> Timeout: 60 secs 01/05/2007 03:20:50.14 PM [042C:007B-0668] NAMELookup::<LDAP GW> ldap_search returned matched DN='CN=Josh Thornton/O=Bruins' 01/05/2007 03:20:50.14 PM [042C:007B-0668] NAMELookup::<LDAP GW> Return buffer was added ok. NAMELookup::<NAMELookUpDiskLookup> name='Joe Thornton' was found '1' match(es) in domain='NEWDIR2' NAMELookup::<lookup> NumReturned=1, TotalNumReturned=4 match(es) for name='Josh Thornton'
  6. 6. ® Directory Lint (AKA DirLint) Problems with directory integrity can be hard to diagnose and remedy
  7. 7. Background: “Directory Lint” - What a weird name C/C++ programmers can probably nap through this slide “Lint” is commonly known as a program that can verify the integrity of C code by: Flagging suspicious elements that some pre-configured logic thinks may turn out to be bugs “Lint” Itself came from, “the name of the undesirable bits of fiber and fluff found in sheep's wool” “IBM Lotus Domino Directory Name Fixer-Upper” wasn't too catchy Lint programming tool. (2006, November 13). In Wikipedia, The Free Encyclopedia. Retrieved 15:55, December 21, 2006, from http://en.wikipedia.org/w/index.php?title=Lint_programming_tool&oldid=87512453
  8. 8. So what does this DirLint thing do?
  9. 9. Overview: Directory Lint A tool that can be used to provide you with Domino directory integrity Reports inconsistencies in Domino directory naming hierarchy Gives a heads-up about invalid syntax in Domino directory names that can vex search and login attempts Scans group member lists to ensure each member exists in an available Directory Assistance configured directory 8.0’s DirLint is just the beginning! More exciting stuff to come in future revs!
  10. 10. And how does DirLint do it?
  11. 11. DirLint: The basic flow… straightforward. You specify one or more Domino directory databases to scan DirLint runs tests against the given directories An XML report is generated that flags possible issues
  12. 12. Hold on a second! Q: I know there’s this thing in Domino called Domino Domain Monitoring (DDM) that flags issues… so why an XML report? A1: We wanted to roll out this first rev of DirLint and get it in your hands as soon as possible A2: Don’t fret! While it might not be in this revision, DDM integration is coming down the pike! Oh, all that and we’ll get you started using the XML report by making an XSLT tool available for you online Now, back to what DirLint actually does
  13. 13. Scan Directory Hierarchy Using the Domino Registration Process will keep your directory crisp and clean Also, adding new entries to Domino through LDAP is safe BUT! Notes client, Registration-bypassing, name adds may leave hierarchy gaps For example: You add “cn=Jane Dough/ou=OurOrganizationalUnit/o=IBM” You didn't add a document for “ou=OurOrganizationalUnit”... not such a big deal in Domino However, searches in LDAP may fail Directory Lint will report these types of errors and let you choose what to fix
  14. 14. Sounds a lot like VerifyDIT, to me You caught me! VerifyDIT was extended to work with DirLint and: Be a kinder, gentler incarnation Report changes, not just arbitrarily modify your directory Now, you can SEE what will happen if you run the classic VerifyDIT on your directory BEFORE changes are made You still have the choice of running the classic VerifyDIT whenever you want
  15. 15. OK, what else? Invalid DN Syntax Again, using Domino Registration (it’s a great tool) you shouldn’t need to worry BUT special “escaped” characters can creep into your directory names in multiple ways: Special LDAP chars added through Notes Example: You were thinking LDAP-style (comma delimited) while typing in: cn=Josh Burchard,o=IBM – You really wanted: “cn=Josh Burchard/o=IBM” in Domino – You get: “cn=Josh Burchard,o=IBM/o=MYDOMAIN” – Everything, including commas is your entire CN!
  16. 16. Invalid DN Syntax Names added via Domino LDAP before 7.0 Example using the special ‘+’ character: – The LDAP DN CN=This+That,OU=West,O=Acme should be converted to Notes DN CN=This"+"That/OU=West/O=Acme. – However, previous revisions did not correctly escape the + (plus) character with double-quotes, resulting in a Notes DN (CN=This+That/OU=Westford/O=Acme) that appears to have a multi-valued RDN. – Oops! Custom programs that bypass syntax checking and write directly to a directory database
  17. 17. Special Characters – Risky Business? Our translation routines can only be so clever, and special chars that sneak into the Domino directory may not translate to LDAP the way you expect and vice versa Can cause problems when searching for names Can cause problems when trying to log in with an LDAP-style name to use a Domino web resource
  18. 18. Special Characters – The Li’l Translation List The following characters need special handling when present in an LDAP DN less than character < greater than character > semicolon character ; comma character , (within a name, not being used as separator) plus sign character + double quote character “ backslash character equal sign = A space or # character occurring at the beginning of the string A space character occurring at the end of the string Find more about this general topic here: Domino 7.0 Release notes http://www-12.lotus.com/ldd/doc/domino_notes/7.0/readme.nsf Navigate to: Domino Server->About this release->New in this release->New enhancements->LDAP special characterhandling
  19. 19. Special Characters - How DirLint can Help Scans the names in your directory to find out if the special chars from the chart are embedded Reports them to you and gives you the choice to decide what to keep as-is and what to change
  20. 20. PRESENTATION DEMO WILL BE RECORDED AND PROVIDED ONLINE
  21. 21. Group Member Craziness Problems can arise whenever human input is involved - group membership lists are no exception Inserting typos in otherwise valid names Totally invalid and non-existent names Etc. But even correctly entered names that exist today may go away tomorrow!
  22. 22. Group Members - What do I do? Use Domino Registration when removing things that may be group members, and you'll be ok Run DirLint! DirLint will scan your group member lists and ensure names exist in a directory available through Directory Assistance
  23. 23. PRESENTATION DEMO WILL BE RECORDED AND PROVIDED ONLINE
  24. 24. Cool! How do I get started? Simple! Type: “load dirlint -?” at the Domino server's console command line to get an overview of all the commands, options and tests DirLint offers to give you control over directory integrity!
  25. 25. PRESENTATION DEMO WILL BE RECORDED AND PROVIDED ONLINE
  26. 26. ® Directory Assistance LDAP Helpers How Do I Integrate My Other LDAP Server Into Domino Directory Services?
  27. 27. Directory Assistance / Secondary LDAP Directories A way for your Notes applications to achieve … Internet Authentication Group Authorization Mail Addressing, etc. to secondary directories
  28. 28. Directory Assistance LDAP Tab
  29. 29. Suggest - Hostname DNS SRV records Per RFC 2782 (Active Directory automatically does this) Server’s DNS suffix
  30. 30. Suggest - Base DN for Search Domino LDAP servers return empty search base, denoting the root
  31. 31. Suggest - Type Of Search Filter Domino LDAP (8.0) – dominoAccessGroups for group authorization IBM Directory Server (8.0) – ibm-allGroups for group authorization Active Directory (7.0/6.5.5) – memberOf for group authorization
  32. 32. Verify - Optional Credentials
  33. 33. Verify - Notes DN Attribute
  34. 34. Review Simplifies successful DA/LDAP configurations by suggesting and immediately testing settings Suggest buttons are great for configuring DA/LDAP connections for the first time Verify buttons are great for re-testing existing DA/LDAP connection configurations
  35. 35. ® Domino LDAP Search Performance What To Do When Someone Tells You LDAP Is Slow
  36. 36. Two Step Approach 1. Identify - How do you determine what’s slow? Previously, set LDAPDEBUG=1 in Notes.ini to see LDAP server traces Previously, turn on LDAP Activity Logging Now, see LDAP.Search.Longest Statistics 2. Remedy - How do you improve slow searches? Adjust the Domino LDAP server Adjust the LDAP client application
  37. 37. ® 1. Identify How do you determine what’s slow?
  38. 38. LDAPDEBUG=1 Peeks into Domino LDAP Server 01:12:56.00 PM LDAP> ***** Start search request processing ***** 01:12:56.00 PM LDAP> Scope: SUBTREE 01:12:56.00 PM LDAP> Dereference Aliases: 0 01:12:56.00 PM LDAP> TimeLimit: 15 01:12:56.00 PM LDAP> SizeLimit: 0 01:12:56.00 PM LDAP> Attributes to return: ALL 01:12:56.00 PM LDAP> Base: o=klint42p 01:12:56.00 PM LDAP> Filter: (|(cn=ken lin)(givenname=ken lin) (sn=ken lin)(uid=ken lin)(mail=ken lin)) 01:12:56.00 PM LDAP> *** Searching in database c:dominodatanames.nsf... 01:12:56.00 PM LDAP> Type of search: View Search 01:12:56.00 PM LDAP> ... Searching view ($LDAPCN) for match on cn = ken lin 01:12:56.01 PM LDAP> ... Searching view ($LDAPG) for match on givenname = ken lin 01:12:56.01 PM LDAP> ... Searching view ($LDAPS) for match on sn = ken lin 01:12:56.01 PM LDAP> ... Searching view $Users for match on uid = ken lin 01:12:56.01 PM LDAP> ... Searching view $Users for match on mail = ken lin 01:12:56.01 PM LDAP> GetSearchEntry State 01:12:56.01 PM LDAP> Found matching entry, Note ID: 4942 01:12:56.01 PM LDAP> SendSearchEntry, sending entry CN=Ken Lin,O=klint42p 01:12:56.01 PM LDAP> GetSearchEntry State 01:12:56.01 PM LDAP> Search State 01:12:56.01 PM LDAP> Search State 01:12:56.01 PM LDAP> ***** Count of search entries returned (total): 1 ***** 01:12:56.01 PM LDAP> Return Result State (Search operation) 01:12:56.01 PM LDAP> StateReturnResult returning resultCode 0 (Success)
  39. 39. Approaches Previous approaches are laborious 1. Turn on LDAPDEBUG=1 Tracing or Activity Logging 2. Restart LDAP server 3. Resend LDAP traffic 4. Analyze lots and lots of data 5. Remedy 6. Repeat steps 2-5 until satisfied 7. Turn off tracing or logging 8. Resume normal LDAP application operation New LDAP.Search.Longest Domino statistics (since 7.0.2) 1. SHOW STAT LDAP 2. Analyze just a few statistics 3. Remedy No digging through lots of traces! No down time! No recreating LDAP traffic - these stats always maintained!
  40. 40. LDAP.Search.Longest Statistics > show stat ldap LDAP.Average LDAP Search time = 0.013 LDAP.Longest LDAP Search request = Base: , Filter: (&(objectclass=groupofnames) (member=cn=ken lin,o=klint42p)), Scope: 2, Entries Found: 1 LDAP.Longest LDAP Search time = 0.06 LDAP.Search.Longest.AverageTime.01 = LDAP.Search.Longest.AverageTime.02 = LDAP.Search.Longest.AverageTime.03 = LDAP.Search.Longest.AverageTime.04 = LDAP.Search.Longest.Count.01 = LDAP.Search.Longest.Count.02 = LDAP.Search.Longest.Count.03 = LDAP.Search.Longest.Count.04 = LDAP.Search.Longest.Entries.01 = LDAP.Search.Longest.Entries.02 = LDAP.Search.Longest.Entries.03 = LDAP.Search.Longest.Entries.04 = LDAP.Search.Longest.Pattern.01 = LDAP.Search.Longest.Pattern.02 = LDAP.Search.Longest.Pattern.03 = LDAP.Search.Longest.Pattern.04 = o=klint42p??sub?(location=%v)?timelimit=15 o=klint42p??sub?(|(cn=%v)(givenname=%v) (sn=%v)(uid=%v)(mail=%v))?timelimit=15 o=klint42p??sub?(dominounid=%v)?timelimit=15 ??sub?(&(objectclass=%v)(member=%v))? timelimit=15 0.023 0.014 0.01 0.008 29 30 30 30 29 30 30 30
  41. 41. Decoding LDAP.Search.Longest.Pattern basedn - where to start searching o=klint42p ? ? sub ? (location=%v) ? timelimit=15 Modeled after part of RFC 4516 - LDAP URL ldap://host:port/basedn?attributes?scope?filter?extensions attributes - to return scope - relative to basedn (base, subtree, onelevel) filter - %v is user-supplied value extensions - from client
  42. 42. LDAP URLs in Your Browser
  43. 43. LDAP.Search.Longest Statistics It is often the search pattern, not every search instance, that determines the overall efficiency of the Domino LDAP search. LDAP applications search by reusing a limited set of search patterns, but with different values. LDAP applications allow their administrators to customize the search patterns used. Directory Assistance – LDAP “Type of search filter to use” Sametime – stconfig.nsf LDAPServer document’s “search filters” Portal – wmm.xml configuration file The new LDAP.Search.Longest Domino statistics reveal the search patterns ordered by slowest average times. Since the LDAP server does not have to record tremendous volumes of individual searches, the LDAP.Search.Longest statistics are always available and does not require a “debug” mode.
  44. 44. ® 2. Remedy How do you improve slow searches?
  45. 45. How Domino LDAP Server Searches View Search For attributes in Pubnames.ntf view indices Full Text Search For attributes not in Pubnames.ntf view indices All Search For attributes not in Pubnames.ntf view indices when no FT Index present Visits every document in Domino directory Specialized Searches For group membership, modified time, Universal Note ID-based searches, etc. QR Cached Search For previously issued searches
  46. 46. View Search 01:12:56.00 PM LDAP> ***** Start search request processing ***** 01:12:56.00 PM LDAP> Scope: SUBTREE 01:12:56.00 PM LDAP> Dereference Aliases: 0 01:12:56.00 PM LDAP> TimeLimit: 15 01:12:56.00 PM LDAP> SizeLimit: 0 01:12:56.00 PM LDAP> Attributes to return: ALL 01:12:56.00 PM LDAP> Base: o=klint42p 01:12:56.00 PM LDAP> Filter: (|(cn=kenFilter: (|(cn=kenFilter: (|(cn=kenFilter: (|(cn=ken lin)(givennamelin)(givennamelin)(givennamelin)(givenname=ken=ken=ken=ken linlinlinlin)))) (sn=ken(sn=ken(sn=ken(sn=ken lin)(uidlin)(uidlin)(uidlin)(uid=ken=ken=ken=ken lin)(maillin)(maillin)(maillin)(mail=ken=ken=ken=ken linlinlinlin)))))))) 01:12:56.00 PM LDAP> *** Searching in database c:dominodatanames.nsf... 01:12:56.00 PM LDAP> Type of search: View SearchType of search: View SearchType of search: View SearchType of search: View Search 01:12:56.00 PM LDAP> ... Searching view ($LDAPCN) for match on cn = ken lin 01:12:56.01 PM LDAP> ... Searching view ($LDAPG) for match on givenname = ken lin 01:12:56.01 PM LDAP> ... Searching view ($LDAPS) for match on sn = ken lin 01:12:56.01 PM LDAP> ... Searching view $Users for match on uid = ken lin 01:12:56.01 PM LDAP> ... Searching view $Users for match on mail = ken lin 01:12:56.01 PM LDAP> GetSearchEntry State 01:12:56.01 PM LDAP> Found matching entry, Note ID: 4942 01:12:56.01 PM LDAP> SendSearchEntry, sending entry CN=Ken Lin,O=klint42p 01:12:56.01 PM LDAP> GetSearchEntry State 01:12:56.01 PM LDAP> Search State 01:12:56.01 PM LDAP> Search State 01:12:56.01 PM LDAP> ***** Count of search entries returned (total): 1 ***** 01:12:56.01 PM LDAP> Return Result State (Search operation) 01:12:56.01 PM LDAP> StateReturnResult returning resultCode 0 (Success) Simplify!
  47. 47. View Searches ($LDAPRDNHier)(objectClass=*)base ($ServerAccess)(&(member=%v) (objectclass=groupOfNames)) ($Users) if found in InternetAddress; otherwise also FT Search MailAddress (mail=%v) ($Users)(displayName=%v) new in 7.0.2 ($Users)(uid=%v) ($LDAPG)(givenName=%v) ($LDAPS)(sn=%v)onelevel ($LDAPCN)(cn=%v)subtree, ViewFilter AttributesScope
  48. 48. Query Results Cache’d Search ***** Start search request processing ***** Scope: SUBTREE Dereference Aliases: 0 TimeLimit: 15 SizeLimit: 0 Attributes to return: ALL Base: o=klint42p Filter: (|(cn=kenFilter: (|(cn=kenFilter: (|(cn=kenFilter: (|(cn=ken lin)(givennamelin)(givennamelin)(givennamelin)(givenname=ken=ken=ken=ken linlinlinlin)))) (sn=ken(sn=ken(sn=ken(sn=ken lin)(uidlin)(uidlin)(uidlin)(uid=ken=ken=ken=ken lin)(maillin)(maillin)(maillin)(mail=ken=ken=ken=ken linlinlinlin)))))))) Found entry in LDAP QR Cache.Found entry in LDAP QR Cache.Found entry in LDAP QR Cache.Found entry in LDAP QR Cache. ***** Count of search entries returned (total): 1 ***** Return Result State (Search operation) StateReturnResult returning resultCode 0 (Success)
  49. 49. Fallback To All Search ***** Start search request processing ***** Scope: SUBTREE Dereference Aliases: 0 TimeLimit: 15 SizeLimit: 0 Attributes to return: ALL Base: o=klint42p Filter: (location=Filter: (location=Filter: (location=Filter: (location=wchwchwchwch)))) *** Searching in database c:dominodatanames.nsf... Type of search: FT SearchType of search: FT SearchType of search: FT SearchType of search: FT Search ... No FT index was found... No FT index was found... No FT index was found... No FT index was found ... Fallback to All Search... Fallback to All Search... Fallback to All Search... Fallback to All Search ... Getting entries in ($LDAPRDNHier) GetSearchEntry State Found matching entry CN=Ken Lin/O=klint42p (NoteID: 4942) SendSearchEntry, sending entry CN=Ken Lin,O=klint42p GetSearchEntry State Search State Search State ***** Count of search entries returned (total): 1 ***** Return Result State (Search operation) StateReturnResult returning resultCode 0 (Success) LDAP Server: You should full text index Domino directory names.nsf on klint42p/klint42p to improve search performance for filters like '(location=x)' Full Text Index!
  50. 50. DDM – Directory: LDAP
  51. 51. Full Text Search ***** Start search request processing ***** Scope: SUBTREE Dereference Aliases: 0 TimeLimit: 15 SizeLimit: 0 Attributes to return: ALL Base: o=klint42p Filter: (location=Filter: (location=Filter: (location=Filter: (location=wchwchwchwch)))) *** Searching in database c:dominodatanames.nsf... Type of search: FT SearchType of search: FT SearchType of search: FT SearchType of search: FT Search FT Query: ([$$O] Contains ("klint42p")) AND (([location] Contains ("wch"))) Type of search: Modified Since FT SearchType of search: Modified Since FT SearchType of search: Modified Since FT SearchType of search: Modified Since FT Search GetSearchEntry State Found matching entry, Note ID: 4942 SendSearchEntry, sending entry CN=Ken Lin,O=klint42p GetSearchEntry State Search State Search State ***** Count of search entries returned (total): 1 ***** Return Result State (Search operation) StateReturnResult returning resultCode 0 (Success)
  52. 52. Group Membership and dominoAccessGroups If you see many search patterns like this … ??sub?(&(objectclass=%v)(member=%v)) the application may be attempting to performing many series of nested group membership searches e.g., “cn=Ken Lin,ou=Westford,o=IBM” belongs to “cn=LDAP Server Dev” belongs to “cn=Iris Directory Team” etc. For such situations, consider reconfiguring the application to use a single query to retrieve the person’s new 8.0 dominoAccessGroups attribute instead Domino Directory Assistance - LDAP Type of search filter = Domino LDAP Portal and Websphere Member Manager (WMM) -based applications groupMembershipAttributeMap = "dominoAccessGroups:nested"
  53. 53. Relative LDAP Search Speeds QR Cache’d Search All Search View Search Full Text Search If DDM.nsf shows a Fallback to All Search warning, Full Text Index the specified Domino directory and make sure the Update task is running. If application’s LDAP search pattern contains terms that are not indexed view fields, see if they can either be eliminated or changed to use indexed fields. If different LDAP applications use equivalent or similiar filters, evaluated if they can be made identical. e.g., Technote 1197769 – Change Websphere Portal People Finder wmm XML files from pluginAttributeName=“displayName” to pluginAttributeName=“cn” for Domino LDAP < 7.0.2 e.g., If one application uses “(|(cn=%v)(givenName=%v)(sn=%v))” and another uses “(|(cn=%v)(sn=%v)(givenName=%v))”, rearrange one to match the other
  54. 54. Miscellaneous Notes.ini Variables LDAPMaxLongestSearchCount - Number of sets of statistics maintained Default is LDAPMaxLongestSearchCount = 20 LDAPMaxLongestSearchCount = 0 turns off collection LDAPMaxLongestSearchCount = 50 is maximum In general, too many statistics will slow down Domino LDAPMinLongestSearchTime - Searches shorter than this milisecond interval are not collected Default is LDAPMinLongestSearchTime = 100 (i.e., 0.1 sec) LDAPMinLongestSearchTime = 0 collects all searches
  55. 55. Review Identify the slowest searches using SHOW STAT LDAP command Available since 7.0.2! Target the slowest search patterns that have the highest count Check the DDM Directory events for Full Text Index recommendations Remedy performance … Domino LDAP Server: Full text index Domino directories as necessary LDAP Application: Tweak the application’s search filters so … View searches are used Complexity of the search filter is reduced – Can you remove terms? – Can you use dominoAccessGroups for group membership searches?
  56. 56. ® Closing
  57. 57. See Also ID207: IBM Lotus Domino 8 Directory Deployment to Address TCO SW 3-4, Monday 11:00-12:00 8.0 directory features Directory roadmap BOF305: IBM Lotus Domino Directory Integration SW Macaw 1-2, Wednesday 5:45-6:45 Directory roadmap Open discussion L101: Meet the Developers Lab DL Asia 1-2 L105: Deployments, Performance and Interoperability DL Europe 3-4 Google “Domino Directory FAQ” We monitor “Notes/Domino 6 and 7 Forum” and “Business Partner Forum”
  58. 58. ® Questions
  59. 59. © IBM Corporation 2007. All Rights Reserved. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Domino.Doc, Domino Designer, Lotus Enterprise Integrator, Lotus Workflow, Lotusphere, QuickPlace, Sametime, WebSphere, Workplace, Workplace Forms, Workplace Managed Client, Workplace Web Content Management, AIX, AS/400, DB2, DB2 Universal Database, developerWorks, eServer, EasySync, i5/OS, IBM Virtual Innovation Center, iSeries, OS/400, Passport Advantage, PartnerWorld, Rational, Redbooks, Software as Services, System z, Tivoli, xSeries, z/OS and zSeries are trademarks of International Business Machines Corporation in the United States, other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torbvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. All references to Acme, Renovations and Zeta Bank refer to a fictitious company and are used for illustration purposes only.

×