[Date Prev][Date Next]
Re: Large user bases cause huge number of roleOccupant in role organizationalRole
- To: Huang Hongfu <email@example.com>, firstname.lastname@example.org
- Subject: Re: Large user bases cause huge number of roleOccupant in role organizationalRole
- From: Howard Chu <email@example.com>
- Date: Fri, 24 Mar 2017 19:25:58 +0000
- In-reply-to: <WMfirstname.lastname@example.org>
- References: <email@example.com> <WMfirstname.lastname@example.org>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46a2
Huang Hongfu wrote:
In a general design, we have a role, which is an object of organizationalRole.
Within this role, let us say it will have more than 10 million users. Each
user has a roleOccupant in the role object.
You can imagine how huge this role object can be! This will cause a big
performance problem. Especially with LMDB as backend, the "add new user" will
become very slow at some point; and the replication will be very difficult
even we setup a delta (with accesslog and session log) replication.
From my point of view, organizationalRole is not designed for large user bases.
Or someone has a better idea?
The same logic as used in indexing applies here - it is stupid to define a
case for something that matches the majority of your population. I.e., it's
stupid to define a presence index on an attribute if that attribute occurs in
the majority of your entries. It is stupid to define a group or role if the
majority of entries will be a member of it. A presence index is only useful if
the attribute occurs rarely. A group/role is only useful if the members are a
minority of the total population.
In this case you should define a group/role for all users who *aren't* part of
Meanwhile, for people with stupid data models, performance with large
attributes in back-mdb is greatly improved in OpenLDAP 2.5.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/