The invention relates to improving performance of database query operations. More specifically, the invention relates to establishing a plurality of service classes for Lightweight Directory Access Protocol (“LDAP”) requests.
The Lightweight Directory Access Protocol (“LDAP”) is a standard computer networking protocol for querying and modifying entries in a database. The basic protocol is defined in a group of Internet Engineering Task Force (“IETF”) Request for Comments (“RFC”) documents; various aspects of the current version of the protocol (version 3) are described in RFCs listed in the “LDAP Technical Specification Road Map” (RFC4510, published June 2006). The databases reachable through LDAP may contain any sort of data, but most commonly contain identity and contact information for people and organizations.
LDAP may be viewed as a communication framework within which a client and server establish and conduct a conversation. The client issues one or more requests, and the server responds with a similar number of replies. The client generally need not wait for a response to one request before sending another request, and the server is generally not required to respond to multiple outstanding requests in the same order they were issued. Many LDAP requests can be answered very quickly, but some requests can cause the server to dedicate large amounts of memory or many computing cycles to prepare a response.
Since LDAP servers are often deployed in high-traffic applications where they frequently face significant request volumes, it is important that the server's design address high-load and overload scenarios so that server performance degrades predictably.
Embodiments of the invention are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings, in which like-references indicate similar elements. It should be noted that references to “an” or “one” embodiment in this disclosure are not necessarily to the same embodiment, and such references mean “at least one.”
Request execution logic 170 retrieves an LDAP request 175 of a predetermined class from a pool of requests of that class 165 and executes the request by interacting with database 180. Request execution logic 170 may read and write data directly from/to a mass storage device, or may use database interface logic (not shown) to issue commands to and interpret results from an external database. An appropriate LDAP response 185 is prepared and returned to response pool 190. Eventually, an LDAP response 195 is removed from response pool 190 by client communication module 110 and returned to the corresponding client, as indicated by the dashed arrow.
Since an LDAP client may send multiple requests during a session, subsequent client interaction operations occur in a loop. At 230, a message from the client is received. If the message is an LDAP “UnbindRequest” message (240), the client is indicating that it wishes to terminate the session. The client communication module (and possibly other portions of the LDAP server) dean up the session (290) by releasing data structures and other resources used to serve the client, discarding any unsent responses for the client, logging performance data, dosing the network connection and so on. A client can also simply disconnect (perhaps due to network trouble); this can be treated similarly to an “UnbindRequest” message.
If the message is not an “UnbindRequest” message, the message may optionally be converted to an internal form (250) (for example, to a data structure containing information such as the identity of the client, the class of the client and/or request, the time the request was received, and so on). At 260, the LDAP request is placed in a pool, set, queue, or similar data structure with other requests of the same class, or in a data structure from which requests can be selected and removed by class. At 270, the client communication module checks to see whether there is a response ready to transmit to the client and, if there is, the response is transmitted (280). Finally, the client service loop repeats.
The client communication module's message-receiving functions and response-transmitting functions need not be performed in precisely the order shown in this flow chart. Those of skill in the art will recognize that if operation 230 blocks (i.e. if program or thread operation pauses until a message is received) then any responses generated may not be transmitted timely. Therefore, a practical implementation may separate the receiving and transmitting functions and execute them in parallel, use non-blocking input/output (“I/O”) functions, or adopt some similar strategy to facilitate efficient and timely bidirectional client communications.
The request may optionally be checked for validity (320, shown in phantom) before execution. For example, a request to alter database contents may be checked to ensure that appropriate client validation has occurred, and a request from a client that disconnected before the request was selected for execution may be discarded. In some embodiments, validity checks can be performed by the client communications logic, relieving the execution logic of this task.
If the request is valid, it is executed by, for example, searching the database to find matching records or updating a record in the database to contain new information (330). The LDAP server may manage the database itself, reading and writing directly from mass storage devices; or it may prepare and execute database operations using a different database access mechanism such as a Structured Query Language (“SQL”) query.
At block 340, a response is prepared. The response may contain records found by a search, a “success” or “failure” indicator of a database modification, or some other message to apprise the client of the outcome of its request. The response is placed in a response pool for eventual transmission back to the requesting client (350). Although
Note that passing requests from the client communications logic to the request execution logic via the classified pool(s) as shown and described in relation to
Separation of LDAP server functions along the lines described and depicted above (i.e. client communication functions and request execution functions) can facilitate efficient use of modern multiprocessing hardware and multithreaded execution environments. A first group of threads can be launched to perform client communication tasks: accepting new client connections; encrypting and decrypting messages if Secure Sockets Layer (“SSL”) communications are in use; receiving LDAP queries and “unpacking” the query elements from their serialized transmission form; validating that messages are in the correct form; assigning priorities and enqueueing the requests; and “packing,” possibly encrypting, and transmitting responses.
A second group of threads can be launched to perform database-related tasks such as locating records that match a query, updating records with new information, and constructing responses containing requested information. The second group of threads can be subdivided into sub-groups of threads dedicated to serving each class of request. For example, if there are ten threads for serving LDAP requests and three are dedicated to serving a first class of request, while the remaining seven serve a second class of request, then (assuming an unbiased thread scheduling policy) approximately thirty percent of the LDAP server's capacity will be available to serve requests of the first class, even when there is a backlog of requests of the second class.
The connection between the client communications and request execution groups of threads is the classified pool system for inbound requests, and the response pool for outbound replies. Requests from clients are classified and placed in pools by the client communication threads, and selected and executed by the request execution threads. In some embodiments, the communication threads and the execution threads may run on separate programmable processors in a system, on separate virtual machine environments hosted by a system, or on completely separate systems. In some of these situations, the request pool(s) and response pool may be implemented as distributed data structures.
LDAP requests may be classified by a number of different criteria (or by combinations of these and other criteria). One useful criterion is the network address of the LDAP client from which the request was received. The structure of network addresses of the widely-used Internet Protocol (“IP”) permits a useful variation of this classification method: by classifying based on some of the most-significant bits of an IP address, requests from a logically (and often geographically) similar group of computers can be classified together.
Since the LDAP protocol includes an authentication mechanism, LDAP requests can also be classified based on the identity of the LDAP client. All the LDAP-using applications at a particular computer may be configured to use the same LDAP identity, or the LDAP identity may be linked to the particular kind of application sending the LDAP requests. In some embodiments, the LDAP server operator may offer a guaranteed level of service to certain clients, and special authentication credentials can be established to identify clients entitled to that level of service. An LDAP request that does not fit any other criteria in use by the server may be classified in a catch-all, “anonymous” class. The load on the system from anonymous LDAP requests can be limited by dedicating only a small number of threads to serve the anonymous class.
In a preferred embodiment, an “administrative” class is used to serve LDAP requests from an administrator or manager of the LDAP server. By dedicating several threads to the administrative class, the administrator can be sure of obtaining responses to LDAP requests even when the server is overwhelmed with requests that fall into other classes.
The foregoing request classification techniques operate on a per-client basis. That is, all the requests from a given client will be placed in the same class. However, per-request classification can also be used. For example, requests to query the database can be placed in a first class, and requests to modify the database can be placed in a second class. This can help ensure that one of the two types of operation (query and modify) does not monopolize the server's processing resources to the exclusion of the other type of operation, even if vastly more requests of one type are received. LDAP requests may contain attributes (as described in the LDAP specification), and these attributes may also be used to direct requests to particular classes of service. Individual requests can be examined to produce an estimate of the computational complexity of performing the request. For example, a database search query that involves multiple wildcards may be more expensive (in terms of memory and processing resources) to perform than a search that simply requests a record identified by the record's Distinguished Name (“DN”). Lower-cost queries may be placed together in one service class, and higher-cost queries placed together in another class. The estimated complexity at which a request is deemed “expensive” may be adjusted to further tune the server's operation.
If a request pool is prioritized, the prioritization criteria can be selected to achieve finer-grained control over LDAP execution performance. For example, requests from clients of a class that connect from a preselected range of network addresses can be given increased priority. This can improve the LDAP query responsiveness for those clients over and above other clients that are classified in the same class. Clients of the same class that use (or do not use) SSL may be favored, or clients that present certain authentication credentials can be given preferential service, despite being in the same class as other authenticated clients.
The client communication logic can also examine requests individually and prioritize the requests within a class based on an estimate of the computational complexity of performing the request. Thus, even within a class of requests of similar complexity (as discussed above), less-complex requests may receive higher priority than more-complex requests. This can help ensure that expensive, long-running queries do not monopolize the server resources allotted to a class.
The particular methods of the invention have been described in terms of software with reference to a series of flowcharts. The methods to be performed by a computer or machine constitute programs made up of machine-executable instructions illustrated as blocks (acts). Describing the methods by reference to a flowchart enables one skilled in the art to develop such programs including such instructions to carry out the methods on suitably configured machines (the processing unit of the machine executing the instructions from machine-readable media). The machine-executable instructions may be written in a computer programming language or may be embodied in firmware logic. If written in a programming language conforming to a recognized standard, such instructions can be executed on a variety of hardware platforms and for interface to a variety of operating systems. In addition, the present invention is not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the invention as described herein. Furthermore, it is common in the art to speak of software, in one form or another (e.g. program, procedure, process, application, module, logic), as taking an action or causing a result. Such expressions are merely a shorthand way of saying that execution of the software by a machine causes the processor of the machine to perform an action or to produce a result. It will be appreciated that more or fewer processes may be incorporated into the methods as described above without departing from the scope of the invention, and that no particular order is implied by the arrangement of blocks shown and described herein.
An embodiment of the invention may be a machine-readable medium having stored thereon instructions to cause a programmable processor to perform operations as described above. The instructions may be directly executable by a programmable processor, or they may be in a “source code” form that can be compiled into executable instructions to control a programmable processor. In other embodiments, the operations might be performed by specific hardware components that contain hardwired logic. Those operations might alternatively be performed by any combination of programmed computer components and custom hardware components.
A machine-readable medium may include any mechanism for storing or transmitting information in a form readable by a machine (e.g. A computer), including but not limited to Compact Disc Read-Only Memory (“CD-ROM”), Read-Only Memory (“ROM”), Random Access Memory (“RAM”), and Erasable Programmable Read-Only Memory (“EPROM”).
The applications of the present invention have been described largely by reference to specific examples and in terms of particular allocations of functionality to certain hardware and/or software components. However, those of skill in the art will recognize that Lightweight Directory Access Protocol (“LDAP”) service can also be provided efficiently by software and hardware that distribute the functions of embodiments of this invention differently than herein described. Such variations and implementations are understood to be captured according to the following claims.
Number | Name | Date | Kind |
---|---|---|---|
5860003 | Eidler et al. | Jan 1999 | A |
6073175 | Tavs et al. | Jun 2000 | A |
6304906 | Bhatti et al. | Oct 2001 | B1 |
6430561 | Austel et al. | Aug 2002 | B1 |
6463470 | Mohaban et al. | Oct 2002 | B1 |
6466984 | Naveh et al. | Oct 2002 | B1 |
6553368 | Martin et al. | Apr 2003 | B2 |
6609121 | Ambrosini et al. | Aug 2003 | B1 |
6622170 | Harrison et al. | Sep 2003 | B1 |
6633872 | Ambrosini et al. | Oct 2003 | B2 |
6654891 | Borsato et al. | Nov 2003 | B1 |
6665674 | Buchanan et al. | Dec 2003 | B1 |
6732160 | Ambrosini et al. | May 2004 | B2 |
6785686 | Boreham et al. | Aug 2004 | B2 |
6850928 | McClure et al. | Feb 2005 | B1 |
7020662 | Boreham et al. | Mar 2006 | B2 |
7039914 | Potter, Jr. | May 2006 | B2 |
7058717 | Chao et al. | Jun 2006 | B2 |
7089294 | Baskey et al. | Aug 2006 | B1 |
7493419 | Moilanen | Feb 2009 | B2 |
7548989 | Alexander, III et al. | Jun 2009 | B2 |
7657501 | Brown et al. | Feb 2010 | B1 |
20010027445 | Eichelsdoerfer et al. | Oct 2001 | A1 |
20020032775 | Venkataramaiah et al. | Mar 2002 | A1 |
20020078028 | Lisanke | Jun 2002 | A1 |
20020087718 | Hill et al. | Jul 2002 | A1 |
20030110246 | Byrne et al. | Jun 2003 | A1 |
20030182464 | Hamilton et al. | Sep 2003 | A1 |
20030195962 | Kikuchi et al. | Oct 2003 | A1 |
20040054808 | Ekberg | Mar 2004 | A1 |
20040117350 | Cavage et al. | Jun 2004 | A1 |
20050015763 | Alexander et al. | Jan 2005 | A1 |
20050021661 | Duloutre et al. | Jan 2005 | A1 |
20060004995 | Hetherington et al. | Jan 2006 | A1 |
20060006222 | Brey et al. | Jan 2006 | A1 |
20060031185 | Jose et al. | Feb 2006 | A1 |
20060149748 | Yamakawa et al. | Jul 2006 | A1 |
20060271544 | Devarakonda et al. | Nov 2006 | A1 |
20070050331 | Bauman et al. | Mar 2007 | A1 |
20070294388 | Yu | Dec 2007 | A1 |
Number | Date | Country |
---|---|---|
1-310-856 | May 2003 | EP |
Entry |
---|
Howes, Timothy A., et al., Understanding and Deploying LDAP Directory Services, MacMillan Technical Publishing, ISBN 1-57870-070-1, © 1999, pp. 344-362. |
Thompson, Dan, “Understanding LDAP”, Microsoft Corp. White Paper, Redmond, WA, © 2000, pp. i-iv and 1-109. |
Fink, Josef, et al., “User Modeling for Personalized City Tours”, Artificial Intelligence Review, vol. 18, No. 1, Sep. 2002, pp. 33-74. |
Bin, Zeng, et al., “A Model of Scalable Distributed Network Performance Management,” ISPN '04 May 10-12, 2004 pp. 607-612. |
Guo, Hong, et al, “Research and Design on Distributed Information Integrated Model Bases on LDAP and Intelligent Agent,” Proc. of the 8th International Conf. on Computer Supported Cooperative Work in Design, vol. May 26-28, 2004, pp. 319-323. |
Mehra, Ashish, et al., “Policy-Based Diffserv on Internet Servers: The AIX Approach,” IEEE Internet Computing, vol. 4, Issue 5, Sep./Oct. 2000 pp. 70-80. |
Microsoft Computer Dictionary, 5th Edition, Microsoft Press, Redmond, WA © 2002, pp. 433. |
Zeilenga, Kurt, D., “Lightweight Directory Access Protocol (LDAP) Technical Specification Road Map,” Network Working Group RFC4510, Jun. 2006, pp. 1-8. |
Red Hat Office Action for U.S. Appl. No. 11/514,823 (P012) mailed Jun. 23, 2008. |
Red Hat Office Action for U.S. Appl. No. 11/514,823 (P012) mailed Mar. 5, 2009. |
Red Hat Office Action for U.S. Appl. No. 11/514,823 (P012) mailed Aug. 19, 2009. |
Red Hat Notice of Allowance for U.S. Appl. No. 11/514,823 (P012) mailed Aug. 19, 2009. |
Number | Date | Country | |
---|---|---|---|
20080059499 A1 | Mar 2008 | US |