Alessandro Lasmar Mourao wrote: > I work in a company that has 140,000 registered users in OpenLDAP. This > OpenLDAP is used for authentication of our internal systems. In our tree of > groups we have the systems and below the each system there are the groups' > authorization (systems profiles). The user is bound in each group according > to position, function and department in the company. When a user replaces > another user hierarchically higher, this user is taken from the respective > group (that he belonged) and registered in user_group with the highest > hierarchy. This movement in the company is very common, and this is the > cause of our problems. We have a group with 50,000 registered users, and > when we need to delete a user of that group or add a new one, OpenLADP > takes up to 6 minute to effect the transaction. We have a tool (BMC > Identity Management (formerly Control-SA)) that automates the transactions, > but due to delay in the transactions are with a row of 100,000 operations > of insert / delete to perform. I wonder if you have any way to improve the > performance of OpenLDAP for these write operations. The OpenLDAP version is > 2.4.40. Do you use the term "group" actually for a node in the tree? If yes, this sounds like a broken DIT design. Also it seems your management client application is not able to leverage renaming whole trees with a single modrdn request (like support in back-hdb and back-mdb). Instead it moves user entries one by one. This is also waste of resources. You should seriously consider a partial re-design and another management application. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature