Re: [keycloak-user] Federating LDAP server to Keycloak crashed with Out Of Memory error

On 9 Aug 2018, at 2:51 am, Marek Posolda <mposolda(a)redhat.com&gt; wrote: > On 07/08/18 22:46, Chenyuan Zhang wrote: > Hi there, > > We were trying to add a LDAP user federation provider with around 5000 users. But the process crashed with out of memory error: > > 2018-06-02 06:54:35.900 UTC INFO Sync changed users finished: 393 imported users, 4532 updated users, 8 users failed sync! See server log for more details (Timer-2) [org.keycloak.storage.ldap.LDAPStorageProviderFactory] > Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Brute Force Protector" > > Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-74" > > Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-330" > > Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Periodic Recovery" > > Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-332" > > Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "default task-324" > 2018-06-05 07:08:55.594 UTC ERROR java.lang.OutOfMemoryError: Java heap space (default task-333) [stderr] > > Here’re the options we used: > > JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Duser.timezone=UTC > > From what I read, it seems like Keycloak import users from LDAP to our production database through a periodic background task. > > But I’m not sure what happened in the memory level that caused the OutOfMemory error. Does keycloak cache all data in memory during the sync process? Is there any configuration I can set to avoid this error? Is there a user number limit given our JAVA Options? We didn't yet try to test LDAP sync with 5000 users. But looks like the count is not so big, so it's quite strange that there is OOM for this setup. Few tips: - If you use periodic synces, you can maybe try to disable periodic sync temporarily and check if it helps? Or increase the interval of sync? (For example 1 per day instead of 1 per hour etc) - Increase memory options and see if it helps - Disable user cache and see if it helps (or configure user cache eviction with the lower count of users allowed). See the docs for how to do it. Marek > > Any suggestion would be appreciated. > > Thanks a lot, > Chenyuan > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user