Skip to content

Disable duplicate JSON access logger in the default configuration#668

Open
vharseko wants to merge 1 commit into
OpenIdentityPlatform:masterfrom
vharseko:features/bind-3
Open

Disable duplicate JSON access logger in the default configuration#668
vharseko wants to merge 1 commit into
OpenIdentityPlatform:masterfrom
vharseko:features/bind-3

Conversation

@vharseko

@vharseko vharseko commented Jul 2, 2026

Copy link
Copy Markdown
Member

Summary

New installations ship with two enabled access loggers: the text
File-Based Access Logger and the common-audit Json File-Based Access Logger (logs/ldap-access.audit.json), so every operation is logged twice.
Profiling after #660 shows the JSON handler's bounded write queue is the
single largest blocking point on the operation hot path under concurrent
load. This PR disables the JSON access logger by default for new
installations (it remains available via dsconfig) and documents it in the
admin guide. Existing installations are unaffected.

Problem

With the AuthenticatedUsers lock removed (#660), JFR jdk.ThreadPark
profiling of a saturated BIND workload shows worker threads spending most of
their blocked time waiting to enqueue log records:

blocking point park events total blocked (80 s window, 16 workers)
JsonFileWriter.put (JSON access logger) 3,535 52.0 s
AsynchronousTextWriter.writeRecord (text access logger) 1,928 32.3 s
com.sleepycat.je.latch.LatchImpl.acquireExclusive (JE, for scale) 1,352 37.2 s

Benchmark

Environment: packaged server built from this tree, je backend, 5,000 users
(uid=user.N, {SSHA} passwords) via setup --sampleData 5000, JDK 11,
8-core host (server and load generator co-located), 2 GB heap.

Load: authrate from the LDAP toolkit — 200 persistent connections, each
re-binding as a random distinct user; 30 s warm-up, 90 s measured,
steady-state = mean of the last 30 s:

authrate -h 127.0.0.1 -p 1389 -c 200 -f -B 30 -d 90 -i 5 \
  -D "uid=user.%d,ou=People,dc=example,dc=com" -w password \
  -g "rand(0,5000)"

Profiling: jcmd <pid> JFR.start settings=profile (JavaMonitorEnter /
ThreadPark / ExecutionSample) + periodic jstack sampling.

configuration binds/s resp mean p99.9
default (text + JSON loggers on) 31,900 6.28 ms 40.1 ms
JSON logger off (this PR) 36,320 (+14%) 5.52 ms 25.7 ms
both access loggers off (tuning reference) 39,286 (+23%) 5.10 ms 22.4 ms

Errors were 0 in all runs.

Change

  • opendj-server-legacy/resource/config/config.ldif: ds-cfg-enabled: false for cn=Json File-Based Access Logger, with a comment explaining
    why and how to enable it.
  • Admin guide (chap-monitoring.adoc): the JSON handler is now listed among
    common audit handlers, and a new procedure "To Enable JSON LDAP Access
    Logs" covers enabling it with dsconfig (and optionally disabling the
    text logger to avoid double logging).
  • Admin guide (chap-tuning.adoc): note in Logging Settings that each
    enabled access logger multiplies per-operation logging cost.

Testing

  • Fresh install from the rebuilt package: list-log-publishers shows the
    JSON logger disabled and the text logger enabled; logs/access is
    written, logs/ldap-access.audit.json is no longer created.
  • dsconfig set-log-publisher-prop --publisher-name "Json File-Based Access Logger" --set enabled:true re-enables it as documented.

New installations shipped with two enabled access loggers: the text
File-Based Access Logger and the common-audit Json File-Based Access
Logger, so every operation was logged twice. Under concurrent load the
JSON handler's bounded write queue (JsonFileWriter.put) is the largest
blocking point on the operation hot path: disabling it alone improves
bind throughput by ~14% in the PR OpenIdentityPlatform#660 benchmark scenario.

Keep the text access logger enabled and disable the JSON logger by
default; it can still be enabled with dsconfig. Existing installations
are unaffected.

Document the JSON access logger in the admin guide (how to enable it,
log file name, and the cost of running several access loggers) and add
a note to the tuning chapter.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants