[midPoint] Large groups with OpenLDAP

Radovan Semancik radovan.semancik at evolveum.com
Wed May 23 09:55:58 CEST 2018


Hi,

On 05/22/2018 07:36 PM, Keith Hazelton wrote:
>
> I’d like to see midPoint/OpenLDAP experience-based reactions to this 
> comment I saw just now: “OpenLDAP has issues with large groups.  Large 
> groups over 25-30k and you will have issues with group updates taking 
> about 6 seconds for each change.”
>

MidPoint has som optimizations already implemented. E.g. you can mark 
"members" attribute with fetchStrategy=minimal, so midPoint will avoid 
fetching that attribute unless it is absolutely necessary. And is you 
have memberof overlay then it is almost never necessary. Because 
midPoint is based on relative change model, i.e. it deals with 
adding/removing values and it should be able to survive without fetching 
full values. To be completely precise, this is only partially true for 
normal attributes. We sometimes need all values for normal attributes 
(e.g. reconciliation). But I'm quite sure that the "relativity approach" 
works for entitlement association attributes such as "members" 
attribute. As far as I remember now we have tested that with Active 
Directory groups with thousands of members. But I think there was also 
some testing with even larger LDAP groups (I'm not 100% sure though).

-- 
Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180523/3f87a531/attachment.htm>


More information about the midPoint mailing list