Re: Efficient Searching for Groups & its members

To: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>

Subject: Re: Efficient Searching for Groups & its members

From: sim123 <Sim3159@gmail.com>

Date: Thu, 24 Mar 2011 09:26:57 -0700

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=iGNN/uOSL5qHE6RHhyeVHnI9GJkTZhOZavQtoo4bE+E=; b=DHhS0XIzP1aPeVAJqaxoLhMpHOK3BMbugTH2Ol5sh+LMh/l1EB9p44LXK8ONN8zZk0 zm1uYiH5LA0eUFk2L8OgHXOhjbpTwcdxXlV94jyLpmS/ZdN09Rsu/FoucAgXluxfKZK8 OFr2aq83QlsWlGXPZAkSyyVJvFrMCcRRHzE2Y=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=lltJ6pIadJOCRk9P+hD/tZAAn3oauTt0IkQ/gwhoIsxG/WX7QHlh3kSgvvmfnVbLky OVHUHWFW8dZ3BE2xzi4C+wNVf+Lcb8s+9c9Yvjp88+w13Et++ldjgEI2NIvfXXblJvon KE1A2kVT33U0D5Re6QLIEbesPn9e8DipgbprU=

In-reply-to: <4D8B034D.6050707@ofd-z.niedersachsen.de>

References: <AANLkTinA5r6SAX2ZJshAfGmSZ0Dh=5XRbHz9pUZ13Mv+@mail.gmail.com> <C53017D6-6ABE-4A0C-8A05-AF41A7EC3BAD@internode.on.net> <AANLkTik3_8wo_FC=pzkpOj9Cu8adD4dsW+=sCpQkJ9+o@mail.gmail.com> <4D8B034D.6050707@ofd-z.niedersachsen.de>

On Thu, Mar 24, 2011 at 1:39 AM, Marc Patermann <hans.moser@ofd-z.niedersachsen.de> wrote:

sim123,

(no top posting, please!)

sim123 schrieb am 24.03.2011 01:10 Uhr:

On Wed, Mar 23, 2011 at 5:01 PM, Indexer <indexer@internode.on.net <mailto:indexer@internode.on.net>> wrote:
> On 24/03/2011, at 10:22, sim123 wrote:

I am designing LDAP schema and the structure looks like :

--ROOT
---- ou = people
------- cn = john smith
---- ou = groups
------ ou = group1
-------- member:john smith
------ ou = group2
-------- member: john smith

I would like to find out what all groups john smith belongs to (I
have full
dn) and all the members of a group. I am wondering about the
performance of
such search, since one person can be part of multiple groups and
there can
be thousands of groups in the server. If its a relational database
I can
create a relationship table and put indexes in place. How can I
get best
performance with OpenLDAP? Or is there any other way I should
design this?

Use the memberOf overlay. ( 12.8. Reverse Group Membership Maintenance )

http://www.openldap.org/doc/admin24/overlays.html

> Thanks for really quick reply. I looked at memberOf description and it
> really helps as I can just do one search. But under the hood OpenLDAP
> will still look for every single group and find if "john smith" is
> member of that group or not, is that right? If so, would slapd do any
> special optimization to get better performance? I am new to LDAP in
> general, so are they intended for such type of queries?
As far as I know, the overlay observes changes to groups and if changes appear it modifys the memberof information in the member object. memberof is stored there like a "regular" attribute. so there is no need to examine all the groups in case of a memberof search.
The downside is that activating the overlay has no effect on existing groups, because the memberof overlay has not seen any changes on these groups.

Marc

-Simon

P.S. gmail does top posting by default, I will keep that in mind from next time :)