[midPoint] Midpoint 3.4.1 Performance Issues UI and REST
Martin Herbert
martinh at tahzoo.com
Wed Nov 2 12:49:06 CET 2016
Hi Ivan,
Yes the assignments are setup to add users to groups. We have multiple AD Domains and the groups reside on each domain. The below is the metarole we have associated with each role within Midpoint itself that has the logic to map it to all resources where relevant.
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
oid="aef77645-a406-4598-be2e-6c7217944fe1"
version="76">
<name>Metarole for groups</name>
<metadata>
<createTimestamp>2016-10-14T06:52:38.197Z</createTimestamp>
<creatorRef oid="a507b312-69a5-422a-852a-3d1d5f1f02b9" type="c:UserType"><!-- admin.dm --></creatorRef>
<createChannel>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</createChannel>
</metadata>
<inducement id="1">
<construction>
<resourceRef oid="58535b46-2326-4b4e-9d9c-67c8cfa8fdfa" type="c:ResourceType"><!-- Active Directory eu1.tahzooint.com (LDAP) --></resourceRef>
<kind>entitlement</kind>
<intent>group</intent>
</construction>
<condition>
<source>
<c:path>$immediateRole/roleType</c:path>
</source>
<expression>
<script>
<code>roleType != "system"</code>
</script>
</expression>
</condition>
</inducement>
<inducement id="2">
<construction>
<resourceRef oid="58535b46-2326-4b4e-9d9c-67c8cfa8fdfa" type="c:ResourceType"><!-- Active Directory eu1.tahzooint.com (LDAP) --></resourceRef>
<kind>account</kind>
<intent>user</intent>
<association>
<c:ref>ri:group</c:ref>
<outbound>
<expression>
<associationFromLink>
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
<condition>
<source>
<c:path>$user/organizationalUnit</c:path>
</source>
<expression>
<script>
<code>organizationalUnit.toString() == 'Employees Delft' || organizationalUnit.toString() == 'Employees Milton Keynes' || organizationalUnit.toString() == 'Employees Maarssen' || organizationalUnit.toString() == 'Employees Borlange' || organizationalUnit.toString() == 'Contractors EXLRT' || organizationalUnit.toString() == 'Contractors EU' || organizationalUnit.toString() == 'Customers EU'</code>
</script>
</expression>
</condition>
</inducement>
<inducement id="4">
<construction>
<resourceRef oid="f8939b78-2bd6-4eb4-b886-548b414ae9ff" type="c:ResourceType"><!-- Active Directory NA1.tahzooint.com (LDAP) --></resourceRef>
<kind>account</kind>
<intent>user</intent>
<association>
<c:ref>ri:group</c:ref>
<outbound>
<expression>
<associationFromLink>
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
<condition>
<source>
<c:path>$user/organizationalUnit</c:path>
</source>
<expression>
<script>
<code>organizationalUnit.toString() == 'Employees DC' || organizationalUnit.toString() == 'Employees Richmond' || organizationalUnit.toString() == 'Contractors USEast' || organizationalUnit.toString() == 'Customers USEast'</code>
</script>
</expression>
</condition>
</inducement>
<inducement id="6">
<construction>
<resourceRef oid="9ebeffc4-d1ce-4e6e-8077-4a77883cb04f" type="c:ResourceType"><!-- Active Directory NA2.tahzooint.com (LDAP) --></resourceRef>
<kind>account</kind>
<intent>user</intent>
<association>
<c:ref>ri:group</c:ref>
<outbound>
<expression>
<associationFromLink>
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
<condition>
<source>
<c:path>$immediateRole/organizationalUnit</c:path>
</source>
<expression>
<script>
<code>organizationalUnit.toString() == 'Employees Seattle' || organizationalUnit.toString() == 'Contractors USWest' || organizationalUnit.toString() == 'Customers USWest'</code>
</script>
</expression>
</condition>
</inducement>
<inducement id="3">
<construction>
<resourceRef oid="f8939b78-2bd6-4eb4-b886-548b414ae9ff" type="c:ResourceType"><!-- Active Directory NA1.tahzooint.com (LDAP) --></resourceRef>
<kind>entitlement</kind>
<intent>group</intent>
</construction>
<condition>
<source>
<c:path>$immediateRole/roleType</c:path>
</source>
<expression>
<script>
<code>roleType != 'system'</code>
</script>
</expression>
</condition>
</inducement>
<inducement id="5">
<construction>
<resourceRef oid="9ebeffc4-d1ce-4e6e-8077-4a77883cb04f" type="c:ResourceType"><!-- Active Directory NA2.tahzooint.com (LDAP) --></resourceRef>
<kind>entitlement</kind>
<intent>group</intent>
</construction>
<condition>
<source>
<c:path>$immediateRole/roleType</c:path>
</source>
<expression>
<script>
<code>roleType != 'system'</code>
</script>
</expression>
</condition>
</inducement>
</role>
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Ivan Noris <ivan.noris at evolveum.com>
Organization: Evolveum, s.r.o.
Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com>
Date: Wednesday, 2 November 2016 at 11:36
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Midpoint 3.4.1 Performance Issues UI and REST
Hi Martin,
are those 42 assignments using associationTargetSearch to put accounts to e.g. groups?
If so, can you paste an example how are you using it?
Best regards,
Ivan
On 11/02/2016 11:53 AM, Martin Herbert wrote:
Hi Guys,
We’ve constantly been suffering with performance issues on our Midpoint environment. The setup includes a cluster of 2 servers with around 10,000 objects. Although user account modifications are fairly quick when it comes to a small number of assignments (1 or 2 maximum), there is a significant performance issue with a larger amount of assignments. Testing my own account during reconciliation which has 42 assignments and 2 projections to different AD resources which can take up to 5 minutes before completion.
>From an integration standpoint for these two projections, one of the AD servers utilises the .Net Connector which is still slow, but much quicker than the OpenICF integration on the other projection.
We also have a password tool that integrates with the REST services for Midpoint, the same issue also applies here. The more assignments that are on an account, the longer it takes for a password change to occur. And in a number of cases even timeouts for a given account.
The major pain point is the password changes, is there no way password changes can be done without removing and re-adding all assignments for each given account?
Overall performance also seems to be an issue in some browsers as well (Firefox for example). Is there a list of supported browsers available?
Thanks
[cid:image001.png at 01D234FF.1BBFB8A0]<http://www.tahzoo.com>
Martin Herbert
Hosting Manager / Head of IT & Hosting Services
M:
+44 7862 993 003<tel:+44%207862%20993%20003>
E:
martinh at tahzoo.com<mailto:martinh at tahzoo.com>
|
W:
www.tahzoo.com<http://www.tahzoo.com>
A:
399 Silbury Blvd, Milton Keynes, MK9 2AH, <https://www.google.com/maps/place/399+Silbury+Blvd,+Milton+Keynes+MK9+2AH,+UK/@52.0414531,-0.7670066,17z/data=%213m1%214b1%214m5%213m4%211s0x4877aa98b50bb921:0xef39de0bd21f30c6%218m2%213d52.0414531%214d-0.7648179>
[cid:image002.png at 01D234FF.1BBFB8A0]
Martin Herbert
Hosting Manager / Head of IT & Hosting Services
M: +44 7862 993 003
E: martinh at tahzoo.com | W: www.tahzoo.com
A: 399 Silbury Blvd, Milton Keynes, MK9 2AH,
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161102/5c4f3263/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1294 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161102/5c4f3263/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1069 bytes
Desc: image002.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161102/5c4f3263/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image681000.png
Type: image/png
Size: 1293 bytes
Desc: image681000.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161102/5c4f3263/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image773001.png
Type: image/png
Size: 1068 bytes
Desc: image773001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161102/5c4f3263/attachment-0003.png>
More information about the midPoint
mailing list