Re: Tuning LDAP
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 21 Nov 2006 14:12:08 -0600
I'd recommend against taking their suggestions, especially in regards to
changing the maxPageSize from the default of 1000. The maxPageSize is there
to help protect the DC from denial of service attacks (both malicious and
unintentional) by limiting the number of results that can be retrieved in a
single LDAP query and forcing the LDAP client to use paged queries to
retrieve large result sets.
Basically, what the vendor is saying by suggesting this policy is "we don't
know how to or don't care to bother with implementing paged LDAP searches,
so instead of us fixing that, we'd like for you to subject your DCs to
denial of service attacks." I don't think that is acceptable, but you may
be willing to.
The problem is larger than just this one app though becuse you are changing
the policy for at least a whole DC and possibly the whole domain or forest.
As such, any app, including an innocuous looking script, could begin causing
problems.
In practice, this may not end up making a big difference, especially if you
DCs have plenty of resources available and your directory isn't very large.
Rigorous testing might help here.
However, I have seen within my own organization very harmless looking
queries that repeatably crashed the DC (requiring reboot) when executed if
the page size was set high. This isn't a joke. That query was in fact in a
harmless looking script than anyone could run from their desktop.
If it were me, I'd suggest that the vendor implement paged LDAP searches and
keep the defaults. Another approach might be to set up a single DC with
this policy and have it just be used for this particular app if something
like that is practical. At least any instability caused by the app could be
limited to one box, and that box could possibly be put in its own site so
that it would not be used for other domain services.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dent" <Dent@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CEC5BAE7-6EA4-49DC-BF29-C9CFA69F8E98@xxxxxxxxxxxxxxxx
We have some questions surrounding a Web Applications. We have some Web
applications using a single LDAP instance. The programmers are telling me
I
have not tuned the site properly. I have been given custom instructions
from
BMC Software on how to tune LDAP. I have done so. However I am looking for
Microsoft's response on tuning. Which I must say is not very extensive to
say
the least. I have to prove my setup is correct by both parties. I need to
understand these changes. Just doing them because some company told me to
is
not going to fly. So any information on these would be greatly
appreciated.
See settings changed below.
Setting Value
MaxPoolThreads 40
MaxPageSize 2000000
InitRecvTimeout 120
MaxQueryDuration 600
MaxActiveQueries 160
MaxConnections 10000
MaxDataGramRecv 65535
MaxTempTableSize 20000
MaxReceiveBuffer 10485760
MaxResultSetSize 4000000
MaxNoticationsPerConn 5
MaxConnIdleTime 900
.
- Follow-Ups:
- Re: Tuning LDAP
- From: Michael Ströder
- Re: Tuning LDAP
- Prev by Date: Re: favorites
- Next by Date: Re: Site Link Bridge
- Previous by thread: favorites
- Next by thread: Re: Tuning LDAP
- Index(es):
Relevant Pages
|
