FLAIM Attribute Containerization


FLAIM Attribute Containerization is when EDirectory IndexDefinitions are created automatically by the system

Such attributes are moved to a separate attribute container and indexes are created for them.

EDirectory does not permit deleting system indexes and hence, any attempt to delete them gives an error.

eDirectory versions prior to EDirectory (40002.79) once an attribute's values reach a count of 25 on one object or 2048 bytes in size the values would be moved to their own attribute container and an index created automatically. This helps improves read and write performance. However, this process can take some time to complete if the eDirectory database is very large. During this time anyone searching on this database would receive the following error until the movement is completed:

Error:attribute maintenance in progress (-6029) 

EDirectory (40002.79) to EDirectory (40004.44)#

FLAIM Attribute Containerization is disabled by default EDirectory (40002.79) to EDirectory (40004.44).

It is possible to revert the behavior of eDirectory to its pre-eDirectory 9 behavior, simply add the line:

to the _ndsdb.ini file and restart eDirectory.

Disable FLAIM Attribute Containerization EDirectory (40005.12) and Later#

To workaround this issue, add the following value in the in _ndsdb.ini file in the DIB directory, and then restart ndsd: eDirectory provides you the flexibility of scheduling the attribute movement. You first view the attributes that are ready to be moved and then schedule their movement as per your convenience.
This prevents the attributes from being moved to the attribute container. However, this command will not affect the attributes that are already there in the container.

We have also seen conditions where there were a very large number of attributes in use on many entries. When one of the entries added the 25th value, the existing index is dropped and the system index is created. When this happens, there is a time when there is no Edirectory Indexes on an attribute. This causes very slow searches.

When there are many entries with several values, creating the new index took forever.

Additional Information#

You may experience a -6029 attribute in maintenance mean Error. This implies a system generated index in being created. This will happen if
  • an attribute has more than 25 values
  • an attribute value is greater than 2048 bytes.

Under these conditions an index will be created for the attribute. At the FLAIM level a new attribute container is created. Then all objects in the dib are scanned for this attribute. If found the attribute is moved from the object's container to the new attribute container. How long does this "maintenance" process may take depends on the following factors:

  • How large the eDirectory database (DIB) is.
  • How many entries contain this attribute.
  • How busy the server is with other processes.

While an attribute is in "maintenance mode", Modify Requests or SearchRequest that directly involve this attribute are not allowed until this process completes.

For most environments, hitting this condition will not be a problem, it just depends on how long it takes to complete and if the unavailability of this attribute for a span of time is going to effect critical production type processes. To disable the automatic containerization of attributes, add disablemovetoattrcontainer=1 in the _ndsdb.ini file and restart eDirectory.

Scheduling FLAIM Attribute Containerization#

FLAIM Attribute Containerization Scheduling is painful and requires gathering the following information form different utilities:

PseudoServer holds an attribute dsContainerReadyAttrs which can be viewed in Imonitor and shows similar to:
dsContainerReadyAttrs Count: 2

02/16/17 04:22:25 PM 1:13PresentdicFusion
08/24/17 04:09:42 PM 1:11PresentNDSPKI:Key Material DN

This indicates in this specific example that "dicFusion" and "NDSPKI:Key Material DN" are subject to FLAIM Attribute Containerization

You can start the attribute containerization by using the single object Ndsrepair option of ndsrepair for the Pseudo server object. To containerize an attribute, issue the ndsrepair command with the new advance switch -AM followed by the name of the attribute as below:

ndsrepair –J <Pseudo server object ID> --config-file /<full path to ndsd.conf> –Ad –AM <attribute name>

As an example:

ndsrepair -J 8007 --config-file /edir/ndsd/conf/nds.conf -Ad -AM "SAS:Vendor\ Support"
(Any spaces in the attribute name must be escaped as shown above.)

FLAIM Attribute Containerization ndstrace#

ndstrace with Flag +RECM can be used to monitor the progress of building the Edirectory Indexes which will appear similar to:
2807117568 RECM: [2019/05/30  4:34:48.893] Attribute maintenance thread is running for: Attribute 470, number of entries scanned so far:  59AB78
2807117568 RECM: [2019/05/30  4:34:48.906] Attribute maintenance thread is running for: Attribute 470, number of entries scanned so far:  59ABDC
2807117568 RECM: [2019/05/30  4:34:48.919] Attribute maintenance thread is running for: Attribute 470, number of entries scanned so far:  59AC40
Each Hexadecimal value on each line is 100 values added to index.

Appears to be unpredictable as to how long it take to index. Of course smaller count Trees will be faster but within the same tree some seem to take a lot longer than others.



More Information#

There might be more information for this subject on one of the following: