The CPU of your UCS server spikes very frequently making the server partially unresponsive.
You operate a multi server environment with a couple of member servers.
UCS servers need to rebuild the local group cache in order to make sure the data is always up-to-date for authentication purposes.
In the default setting, the group cache is regenerated every time changes are made to a group. This avoids cache effects whereby group memberships only become visible for a service after the next scheduled group cache rewrite (in the default setting after 15 minutes and after 15 seconds of inactivity in the Univention Directory Listener. In larger environments with a lot of group changes, this function should be deactivated by setting the Univention Configuration Registry variable
false . This setting takes effect immediately and does not require a restart of the Univention Directory Listener.
To set do:
ucr set nss/group/invalidate_cache_on_changes=false
When the group cache file is being generated, the script verifies whether the group members are still present in the LDAP directory. If only the Univention Management Console is used for the management of the LDAP directory, this additional check is not necessary and can be disabled by setting the Univention Configuration Registry variable
To set do:
ucr set nss/group/cachefile/check_member=false