Operation Throttling - Protect Your LDAP Servers
By arnaud on Jun 15, 2009
Many times - for various maintenance and operational reasons - we need to run batches of updates to an Identity repository. Whether it is a new application that was introduced requiring new attributes or a broad sweep cleanup for a retired application, the net result is a same: an additional write load is inflicted to the LDAP farm with the ever undesirable performance impact on the "regular" traffic. As a work around, this used to be done during maintenance windows, at night or over a quiet week end... this usually leads to stressful early Monday mornings if you had overestimated the absorption capacity of the infrastructure.
Bird's Eye View
The idea is to allow DPS to throttle traffic in order to be able to "choke" traffic coming from a particular user or host. This would allow to leave the regular traffic alone and only apply the limitation on writes coming from the user running the batch job for example.
The principle is pretty straightforward, traffic fills a queue until the queue is full. When it is, DPS delays the next requests until the next slot becomes available in the queue. This is effective as it does not disrupt traffic. It only makes the LDAP infrastructure appear slower to clients. Most throttling solutions I have seen out there would return "Server Busy" or something along those lines, which may cause errors on the client side and defeats the purpose of throttling altogether from a client's perspective. It works only from the server's perspective, which indeed see their traffic decreased.
With this plug-in, all the requests sent by the client will be honored, it'll just take longer.
One of the added benefits is that the throughput limit can be changed on the fly without disturbing regular "unthrottled" traffic.
So you for example could leave the batch job completely unleashed and flood your LDAP farm over the week-end and then strangle the traffic Monday at 4:00am to an acceptable trickle. Since the configuration of DPS can be altered over LDAP, all there is to it is an entry in your cron, and you have yourself a nicely controlled environment...