Operation Throttling - Protect Your LDAP Servers

Rationale

    Many times - for various maintenance and operational reasons - we need to run batches of updates to an Identity repository. Whether it is a new application that was introduced requiring new attributes or a broad sweep cleanup for a retired application, the net result is a same: an additional write load is inflicted to the LDAP farm with the ever undesirable performance impact on the "regular" traffic. As a work around, this used to be done during maintenance windows, at night or over a quiet week end... this usually leads to stressful early Monday mornings if you had overestimated the absorption capacity of the infrastructure.

Bird's Eye View

    The idea is to allow DPS to throttle traffic in order to be able to "choke" traffic coming from a particular user or host. This would allow to leave the regular traffic alone and only apply the limitation on writes coming from the user running the batch job for example.

The Meat

 The principle is pretty straightforward, traffic fills a queue until the queue is full. When it is, DPS delays the next requests until the next slot becomes available in the queue. This is effective as it does not disrupt traffic. It only makes the LDAP infrastructure appear slower to clients. Most throttling solutions I have seen out there would return "Server Busy" or something along those lines, which may cause errors on the client side and defeats the purpose of throttling altogether from a client's perspective. It works only from the server's perspective, which indeed see their traffic decreased.
With this plug-in, all the requests sent by the client will be honored, it'll just take longer.

One of the added benefits is that the throughput limit can be changed on the fly without disturbing regular "unthrottled" traffic.

So you for example could leave the batch job completely unleashed and flood your LDAP farm over the week-end and then strangle the traffic Monday at 4:00am to an acceptable trickle. Since the configuration of DPS can be altered over LDAP, all there is to it is an entry in your cron, and you have yourself a nicely controlled environment...

This plug-in for DPS is available through Directory Integration Team via Sun Professional Services (or shoot me an email, arnaud@sun.com)

<script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-12162483-1"); pageTracker._trackPageview(); } catch(err) {}</script>
Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Directory Services Tutorials, Utilities, Tips and Tricks

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today