[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Dynamic Groups

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: Dynamic Groups
From: Michael Ströder <michael@stroeder.com>
Date: Thu, 29 May 2003 20:36:22 +0200
Cc: "'Tod Thomas'" <tthomas@chubb.com>, OpenLDAP-software@OpenLDAP.org
In-reply-to: <000701c32605$acd55560$0e01a8c0@CELLO>
References: <000701c32605$acd55560$0e01a8c0@CELLO>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3.1) Gecko/20030425

"Dynamic Groups" is simply marketing blurb for attribute-based grouping. It's not more dynamic than so-called "static" group entries.

Howard Chu wrote:

This definition would imply that Dynamic Groups are a concept that only
clients care about,

Yes and no. Some products simply use LDAP URLs for specifying attribute-based grouping which can be AFAIK resolved at the server's side for the server's authz scheme.

Won't LDAP eventually run into
a hard limitation, or a performance limitation, using attribute based
'dynamic
groups' as I described above due to the large number of
attributes that
could
potentially end up in a single entry?


No more so than if you defined a large number of static groups with lots of
entry DNs in their member attributes.


http://groups.google.com/groups?q=ldap+%22dynamic+groups%22&start=10&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=37A0D299.D41C679E%40ogre.com&rnum=14

IMO group entries do not scale well for many group members. I made some experiments with 70000 member attributes (OpenLDAP 2.0.x, 200000 members with Netscape DS 4.1x) but stopped evaluating it any further because it turned out to get quite slow. Also the group entries get quite large requiring a big cache and the first hit really costs time. No thorough analysis though.

Ciao, Michael.

References:
- RE: Dynamic Groups
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: Dynamic Groups
Next by Date: Mixing Versions.
Index(es):
- Chronological
- Thread