Hello,
I wonder if there is any limitation on the number of users linked to a group groupOfUniqueNames type?
We will provide an application on the Internet for more than 10 million users, and all these users belong (uniqueMember) to a single group.
Our support reported that it is recommended that the user group should not have more than 16,000 members, this information accurate?
Regards,
Alessandro Lasmar Mourão
Alessandro,
All i can say is that in our directory we have 18848 users in a single group and no problems so far. Maybe someone else would reply about a upper boundary of groupOfUniqueNames.
2015-10-27 9:11 GMT-03:00 Alessandro Lasmar Mourão < alessandrolm@yahoo.com.br>:
Hello,
I wonder if there is any limitation on the number of users linked to a group groupOfUniqueNames type? We will provide an application on the Internet for more than 10 million users, and all these users belong (uniqueMember) to a single group. Our support reported that it is recommended that the user group should not have more than 16,000 members, this information accurate?
Regards,
Alessandro Lasmar Mourão
Pedro Roger wrote:
All i can say is that in our directory we have 18848 users in a single group
This is fairly small.
and no problems so far.
The original poster asked about 10 million group members which is more than *500* times more than what you have.
Maybe someone else would reply about a upper boundary of groupOfUniqueNames.
In theory there is no limit. In practice one will have to carefully deal with such a big group entry.
Ciao, Michael.
2015-10-27 9:11 GMT-03:00 Alessandro Lasmar Mourão < alessandrolm@yahoo.com.br>:
Hello,
I wonder if there is any limitation on the number of users linked to a group groupOfUniqueNames type? We will provide an application on the Internet for more than 10 million users, and all these users belong (uniqueMember) to a single group. Our support reported that it is recommended that the user group should not have more than 16,000 members, this information accurate?
Regards,
Alessandro Lasmar Mourão
Alessandro Lasmar Mourão wrote:
Hello,
I wonder if there is any limitation on the number of users linked to a group groupOfUniqueNames type? We will provide an application on the Internet for more than 10 million users, and all these users belong (uniqueMember) to a single group. Our support reported that it is recommended that the user group should not have more than 16,000 members, this information accurate?
As I recall, older versions of M$ Active Directory had a size limit of 16384 members. Maybe other directory servers did as well. No such limit exists in OpenLDAP. Note that use of uniqueMember is discouraged in LDAP, you should just use member.
In slapd you should configure sortvals on the member attribute to have reasonable comparison speeds on lookups and modifications for such a large attribute.
Generally it's a bad idea to use static groups of this size, you're better off using a dynamic group instead.
Howard Chu wrote:
Alessandro Lasmar Mourão wrote:
I wonder if there is any limitation on the number of users linked to a group groupOfUniqueNames type? We will provide an application on the Internet for more than 10 million users, and all these users belong (uniqueMember) to a single group. Our support reported that it is recommended that the user group should not have more than 16,000 members, this information accurate?
As I recall, older versions of M$ Active Directory had a size limit of 16384 members. Maybe other directory servers did as well. No such limit exists in OpenLDAP. Note that use of uniqueMember is discouraged in LDAP, you should just use member.
In slapd you should configure sortvals on the member attribute to have reasonable comparison speeds on lookups and modifications for such a large attribute.
Generally it's a bad idea to use static groups of this size, you're better off using a dynamic group instead.
Very true.
I'd also ask for the real requirements: Do you really need a group 'all users'? Because if any authenticated user is always member of this group anyway you can design your access control rules simply with "grant right X to all authenticated users" instead of "grant right X to group 'all users'".
And especially *all* client developers have to handle such a big group reasonably, which means at least: 1. Don't read the whole group entry to determine group membership. 2. Don't maintain group membership by writing all member values at once. Experience shows that you have to make this clear to developers. :-(
Also you have to take care about stablereplication. AFAICT you should use delta-syncrepl and may have to adjust sockbuf_max_incoming_auth (see slapd.conf(5)).
Ciao, Michael.
On Wed, Oct 28, 2015 at 01:10:17AM +0000, Howard Chu wrote:
OpenLDAP. Note that use of uniqueMember is discouraged in LDAP, you should just use member.
I didn't know it ? Have you some links that explain why ?
sincerly,
Am Wed, 28 Oct 2015 17:23:35 +0100 schrieb julien soula jsoula@univ-lille2.fr:
On Wed, Oct 28, 2015 at 01:10:17AM +0000, Howard Chu wrote:
OpenLDAP. Note that use of uniqueMember is discouraged in LDAP, you should just use member.
I didn't know it ? Have you some links that explain why ?
How would you provide uniqueness? See RFC-4519, section 2.40
-Dieter
openldap-technical@openldap.org
-
Alessandro Lasmar Mourão -
Dieter Klünter -
Howard Chu -
julien soula -
Michael Ströder -
Pedro Roger