Ensure that the following general prerequisites are met before attempting to tune the system for performance:
A good eDirectory tree design can enhance eDirectory performance. The following considerations might apply:
Applications read all the information locally on the server without needing to chain the requests.
eDirectory efficiently handles object references automatically. If possible, objects on a server should not refer to objects that are not local on that server, because maintaining non-local object references can take more time. If such references exist, backlinks must be maintained. This becomes cumbersome in large deployments.
If you need a group with 10,000 members or more, dynamic groups are recommended. This allows you to avoid the overhead associated with maintaining references for so many people. Choose your dynamic group configuration carefully, because using multiple dynamic groups with improper search criteria might overload the server and reduce overall server performance. If a search operation takes a long time to complete, the chosen index might be inefficient. Minimize the use of regular (static) groups as this can increase tree walking on login.
Use ACLs efficiently. For example, use the [This] trustee and assign it at the container level instead of using an ACL template that assigns rights to itself. The fewer ACLs, the better the performance. For more information on ACLs, see NetIQ eDirectory Administration Guide.
Distribute the load onto multiple replica servers.
If logins are slow, you can disable login updates. There are separate ways to disable login updates for both NDS and NetIQ Modular Authentication Service (NMAS) logins. However, it is important to understand the security implications.
Time is in sync across all replica servers.
Replica synchronization and background processes are in a healthy state.