[midPoint] Large groups with OpenLDAP
Radovan Semancik
radovan.semancik at evolveum.com
Wed May 23 09:55:58 CEST 2018
Hi,
On 05/22/2018 07:36 PM, Keith Hazelton wrote:
>
> I’d like to see midPoint/OpenLDAP experience-based reactions to this
> comment I saw just now: “OpenLDAP has issues with large groups. Large
> groups over 25-30k and you will have issues with group updates taking
> about 6 seconds for each change.”
>
MidPoint has som optimizations already implemented. E.g. you can mark
"members" attribute with fetchStrategy=minimal, so midPoint will avoid
fetching that attribute unless it is absolutely necessary. And is you
have memberof overlay then it is almost never necessary. Because
midPoint is based on relative change model, i.e. it deals with
adding/removing values and it should be able to survive without fetching
full values. To be completely precise, this is only partially true for
normal attributes. We sometimes need all values for normal attributes
(e.g. reconciliation). But I'm quite sure that the "relativity approach"
works for entitlement association attributes such as "members"
attribute. As far as I remember now we have tested that with Active
Directory groups with thousands of members. But I think there was also
some testing with even larger LDAP groups (I'm not 100% sure though).
--
Radovan Semancik
Software Architect
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180523/3f87a531/attachment.htm>
More information about the midPoint
mailing list