Alessandro Lasmar Mourao wrote:
I work in a company that has 140,000 registered users in OpenLDAP. This OpenLDAP is used for authentication of our internal systems. In our tree of groups we have the systems and below the each system there are the groups' authorization (systems profiles). The user is bound in each group according to position, function and department in the company. When a user replaces another user hierarchically higher, this user is taken from the respective group (that he belonged) and registered in user_group with the highest hierarchy. This movement in the company is very common, and this is the cause of our problems. We have a group with 50,000 registered users, and when we need to delete a user of that group or add a new one, OpenLADP takes up to 6 minute to effect the transaction. We have a tool (BMC Identity Management (formerly Control-SA)) that automates the transactions, but due to delay in the transactions are with a row of 100,000 operations of insert / delete to perform. I wonder if you have any way to improve the performance of OpenLDAP for these write operations. The OpenLDAP version is 2.4.40.
Do you use the term "group" actually for a node in the tree? If yes, this sounds like a broken DIT design.
Also it seems your management client application is not able to leverage renaming whole trees with a single modrdn request (like support in back-hdb and back-mdb). Instead it moves user entries one by one. This is also waste of resources.
You should seriously consider a partial re-design and another management application.
Ciao, Michael.