FLAIM Attribute Containerization


FLAIM Attribute Containerization is when EDirectory IndexDefinitions are created automatically by the system

Such attributes are moved to a separate attribute container and indexes are created for them. These auto-generated Edirectory Indexes are marked as Index Type system indexes.

EDirectory does not permit deleting system indexes and hence, any attempt to delete them gives an error.

EDirectory (40002.79) to EDirectory (40004.44)#

FLAIM Attribute Containerization is disabled by default EDirectory (40002.79) to EDirectory (40004.44).

It is possible to revert the behavior of eDirectory to its pre-eDirectory 9 behavior, simply add the line:

to the _ndsdb.ini file and restart eDirectory.

Disable FLAIM Attribute Containerization EDirectory (40005.12) and Later#

To workaround this issue, add the following value in the in _ndsdb.ini file in the DIB directory, and then restart ndsd: eDirectory provides you the flexibility of scheduling the attribute movement. You first view the attributes that are ready to be moved and then schedule their movement as per your convenience.
This prevents the attributes from being moved to the attribute container. However, this command will not affect the attributes that are already there in the container.

We have also seen conditions where there were a very large number of attributes in use on many entries. When one of the entries added the 25th value, the existing index is dropped and the system index is created. When this happens, there is a time when there is no Edirectory Indexes on an attribute. This causes very slow searches.

When there are many entries with several values, creating the new index took forever.

Additional Information#

You may experience a -6029 attribute in maintenance mean Error. This implies a system generated index in being created. This will happen if
  • an attribute has more than 25 values
  • an attribute value is greater than 2048 bytes.

Under these conditions an index will be created for the attribute. At the FLAIM level a new attribute container is created. Then all objects in the dib are scanned for this attribute. If found the attribute is moved from the object's container to the new attribute container. How long does this "maintenance" process may take depends on the following factors:

  • How large the eDirectory database (DIB) is.
  • How many entries contain this attribute.
  • How busy the server is with other processes.

While an attribute is in maintenance mode, modifications or queries that directly involve this attribute are not allowed until this process completes.

For most environments, hitting this condition will not be a problem, it just depends on how long it takes to complete and if the unavailability of this attribute for a span of time is going to effect critical production type processes. To disable the automatic containerization of attributes, add disablemovetoattrcontainer =1 in the _ndsdb.ini file and restart eDirectory.

Scheduling FLAIM Attribute Containerization#

FLAIM Attribute Containerization Scheduling is painful and requires gathering the following information form different utilities:

PseudoServer] holds an attribute dsContainerReadyAttrs which can be viewed in Imonitor and shows similar to:
dsContainerReadyAttrs Count: 2

02/16/17 04:22:25 PM 1:13PresentdicFusion
08/24/17 04:09:42 PM 1:11PresentNDSPKI:Key Material DN

This indicates in this specific example that "dicFusion" and "NDSPKI:Key Material DN" are subject to FLAIM Attribute Containerization

You can start the attribute containerization by using the single object Ndsrepair option of ndsrepair for the Pseudo server object. To containerize an attribute, issue the ndsrepair command with the new advance switch -am followed by the name of the attribute as below:

ndsrepair –J <Pseudo server object ID> –Ad –AM/–am <attribute name>



More Information#

There might be more information for this subject on one of the following: