Slow IDM synchronisation between eDirectory trees

  • 7017156
  • 14-Jan-2016
  • 18-Jan-2016

Environment

NetIQ Identity Manager 4.5

Situation

Two Identity Manager 4.5 instances replicating data between an Identity Vault tree and an LDAP Authentication tree using the eDirectory driver.
Synchronization seemed to be normal until users reported issues with their password changes.
The IDM Vault dashboard showed that cached events on the Vault tree had grown to over 70,000 waiting events, and these seemed to be processing at the rate of about two per minute.

Resolution

Examined the IDM traces for the eDirectory drivers from both trees. There were no errors but the delay seemed to be around writing to cache on the AUTH tree. The Vault trace would show a delay waiting for a response from the AUTH tree:

21:30:31 C3F3700 Drvrs: Student AD PT:
DirXML Log Event -------------------
Driver: \VAULT\RES\In Bound Driver Set\Student AD
Channel: Publisher
Status: Success
21:30:38 6578700 DirXML: Auth Tree EV: Writing data to cache:
21:30:54 C8FD700 Drvrs: Auth Tree ST:: Received.
21:30:54 C8FD700 Drvrs: Auth Tree ST:


Checking the trace from the AUTH tree showed the delay associated with syncs to the master replica:

21:28:28 AB7C1700 Drvrs: Auth Tree PT:Waiting to move entry \AUTH-TREE\Utopia University\People\inactive\s5057061 until local changes are synced to master replica.
21:29:01 AB7C1700 Drvrs: Auth Tree PT:Waiting for moved object \AUTH-TREE\Utopia University\People\active to replicate from master replica.
21:29:01 C9757700 DirXML: Auth Tree EV: Writing data to cache:


The IDM server was not the master replica of the AUTH tree partition holding the people container, but was a read/write partition, one of seven replicas.
The IDM server was made the Master replica of the AUTH tree partition holding the people container and the 70 000 queued events processed in less than ten minutes.

Cause

The slow synchronization became apparent when the customer had moved a lot of user objects.
When a move event is synchronized between eDirectory trees, we need to wait for an acknowledgement that move event has synced out from the master replica. This is to ensure that move events for the same object are not received out of order. As the IDM server was not the master replica holding the moved objects, there was a delay getting this acknowledgement. Making the IDM server master replica eliminated this delay.