Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Long delays when syncing changes to IDM (All versions) using the LDAP connector

Last updated Jan 19, 2023

The purpose of this article is to provide assistance if you experience performance issues with the LDAP connector when synchronizing changes to IDM. This information applies to all poolable connectors although it is more commonly seen with the LDAP connector.


1 reader recommends this article

Symptoms

Long delays are experienced when trying to perform a synchronization operation after a period of inactivity. This issue occurs when using a poolable connector (such as the LDAP connector). 

Subsequent sync operations are not delayed.

Recent Changes

N/A

Causes

A network component (such as a firewall or load balancer) between IDM and the LDAP server is timing out or terminating old idle connections after a period of inactivity.

When the connector has a minIdle value of 1 or more, idle connector instances are left in the connection pool. When a sync operation happens after a period of inactivity, the old idle connector instances in the connection pool are used, which have been timed out by the network component but the connection pool has not been notified. Once this request has timed out, IDM creates a new connector instance, which allows the sync to proceed. Subsequent syncs are not affected because the idle connector instances have been used.

Solution

This issue can be resolved using one of the following options:

  • Resolve any issues with your firewalls, load balancers or other network components that could time out or terminate old idle connections after a period of time. You want all connections to be treated as live connections. 

If you're unsure whether a network component is causing an issue, you can try temporarily removing it and retesting to see if the delays have gone away.

  • Set the minIdle setting to 0 in your provisioner configuration file (for example, provisioner.openicf-ldap.json), which is located in the /path/to/idm/conf directory: "poolConfigOption" : {        "maxObjects" : 10,         "maxIdle" : 10,         "maxWait" : 150000,         "minEvictableIdleTimeMillis" : 120000,         "minIdle" : 0     }Setting minIdle to 0 means the connection pool is emptied of idle connector instances when the idle timeout (minEvictableIdleTimeMillis) is reached. Since the connection pool won't have any idle connector instances in it, the connector will create fresh connections when required; this setting will prevent this issue from happening but can have some impact on performance as new connections must be created after a period of inactivity. 

In IDM 7 and later, a connection pool cleaner thread runs every minute and removes connections where the lastUsed time is larger than the minEvictableIdleTimeMillis

Note

Configuring network components and performance tuning is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.

See Also

How do I configure pooled connections for a connector in IDM (All versions)?

How do I identify reconciliation performance issues in IDM (All versions)?

Configure connectors

Connection pooling configuration

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.