sim123,
(no top posting, please!)
sim123 schrieb am 24.03.2011 01:10 Uhr:
On Wed, Mar 23, 2011 at 5:01 PM, Indexer <indexer@internode.on.net mailto:indexer@internode.on.net> wrote:
On 24/03/2011, at 10:22, sim123 wrote:
I am designing LDAP schema and the structure looks like : --ROOT ---- ou = people ------- cn = john smith ---- ou = groups ------ ou = group1 -------- member:john smith ------ ou = group2 -------- member: john smith I would like to find out what all groups john smith belongs to (I have full dn) and all the members of a group. I am wondering about the performance of such search, since one person can be part of multiple groups and there can be thousands of groups in the server. If its a relational database I can create a relationship table and put indexes in place. How can I get best performance with OpenLDAP? Or is there any other way I should design this?
Use the memberOf overlay. ( 12.8. Reverse Group Membership Maintenance ) http://www.openldap.org/doc/admin24/overlays.html
Thanks for really quick reply. I looked at memberOf description and it really helps as I can just do one search. But under the hood OpenLDAP will still look for every single group and find if "john smith" is member of that group or not, is that right? If so, would slapd do any special optimization to get better performance? I am new to LDAP in general, so are they intended for such type of queries?
As far as I know, the overlay observes changes to groups and if changes appear it modifys the memberof information in the member object. memberof is stored there like a "regular" attribute. so there is no need to examine all the groups in case of a memberof search. The downside is that activating the overlay has no effect on existing groups, because the memberof overlay has not seen any changes on these groups.
Marc