Howard Chu wrote: > Alessandro Lasmar Mourão wrote: >> I wonder if there is any limitation on the number of users linked to a group >> groupOfUniqueNames type? >> We will provide an application on the Internet for more than 10 million users, >> and all these users belong (uniqueMember) to a single group. >> Our support reported that it is recommended that the user group should not >> have more than 16,000 members, this information accurate? > > As I recall, older versions of M$ Active Directory had a size limit of 16384 > members. Maybe other directory servers did as well. No such limit exists in > OpenLDAP. Note that use of uniqueMember is discouraged in LDAP, you should > just use member. > > In slapd you should configure sortvals on the member attribute to have > reasonable comparison speeds on lookups and modifications for such a large > attribute. > > Generally it's a bad idea to use static groups of this size, you're better off > using a dynamic group instead. Very true. I'd also ask for the real requirements: Do you really need a group 'all users'? Because if any authenticated user is always member of this group anyway you can design your access control rules simply with "grant right X to all authenticated users" instead of "grant right X to group 'all users'". And especially *all* client developers have to handle such a big group reasonably, which means at least: 1. Don't read the whole group entry to determine group membership. 2. Don't maintain group membership by writing all member values at once. Experience shows that you have to make this clear to developers. :-( Also you have to take care about stablereplication. AFAICT you should use delta-syncrepl and may have to adjust sockbuf_max_incoming_auth (see slapd.conf(5)). Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature