Alessandro Lasmar Mourao wrote:
I work in a company that has 140,000 registered users in OpenLDAP.
OpenLDAP is used for authentication of our internal systems. In our tree of
groups we have the systems and below the each system there are the groups'
authorization (systems profiles). The user is bound in each group according
to position, function and department in the company. When a user replaces
another user hierarchically higher, this user is taken from the respective
group (that he belonged) and registered in user_group with the highest
hierarchy. This movement in the company is very common, and this is the
cause of our problems. We have a group with 50,000 registered users, and
when we need to delete a user of that group or add a new one, OpenLADP
takes up to 6 minute to effect the transaction. We have a tool (BMC
Identity Management (formerly Control-SA)) that automates the transactions,
but due to delay in the transactions are with a row of 100,000 operations
of insert / delete to perform. I wonder if you have any way to improve the
performance of OpenLDAP for these write operations. The OpenLDAP version is
Do you use the term "group" actually for a node in the tree?
If yes, this sounds like a broken DIT design.
Also it seems your management client application is not able to leverage
renaming whole trees with a single modrdn request (like support in back-hdb
and back-mdb). Instead it moves user entries one by one. This is also waste of
You should seriously consider a partial re-design and another management