[keycloak-user] Federating LDAP server to Keycloak crashed with Out Of Memory error

Marek Posolda mposolda at redhat.com
Thu Aug 9 03:51:26 EDT 2018 

On 07/08/18 22:46, Chenyuan Zhang wrote:
> Hi there,
>
> We were trying to add a LDAP user federation provider with around 5000 users. But the process crashed with out of memory error:
>
> 2018-06-02 06:54:35.900 UTC INFO Sync changed users finished: 393 imported users, 4532 updated users, 8 users failed sync! See server log for more details (Timer-2) [org.keycloak.storage.ldap.LDAPStorageProviderFactory]
> Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Brute Force Protector"
>
> Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-74"
>
> Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-330"
>
> Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Periodic Recovery"
>
> Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-332"
>
> Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "default task-324"
> 2018-06-05 07:08:55.594 UTC ERROR java.lang.OutOfMemoryError: Java heap space (default task-333) [stderr]
>
> Here’re the options we used:
>
> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Duser.timezone=UTC
>
>  From what I read, it seems like Keycloak import users from LDAP to our production database through a periodic background task.
>
> But I’m not sure what happened in the memory level that caused the OutOfMemory error. Does keycloak cache all data in memory during the sync process? Is there any configuration I can set to avoid this error? Is there a user number limit given our JAVA Options?
We didn't yet try to test LDAP sync with 5000 users. But looks like the 
count is not so big, so it's quite strange that there is OOM for this 
setup. Few tips:

- If you use periodic synces, you can maybe try to disable periodic sync 
temporarily and check if it helps? Or increase the interval of sync? 
(For example 1 per day instead of 1 per hour etc)

- Increase memory options and see if it helps

- Disable user cache and see if it helps (or configure user cache 
eviction with the lower count of users allowed). See the docs for how to 
do it.

Marek
>
> Any suggestion would be appreciated.
>
> Thanks a lot,
> Chenyuan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list