[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Large Number of Transactions x Low performance



Alessandro Lasmar Mourao wrote:
> I work in a company that has 140,000 registered users in OpenLDAP. This
> OpenLDAP is used for authentication of our internal systems. In our tree of
> groups we have the systems and below the each system there are the groups'
> authorization (systems profiles). The user is bound in each group according
> to position, function and department in the company. When a user replaces
> another user hierarchically higher, this user is taken from the respective
> group (that he belonged) and registered in user_group with the highest
> hierarchy. This movement in the company is very common, and this is the
> cause of our problems. We have a group with 50,000 registered users, and
> when we need to delete a user of that group or add a new one, OpenLADP
> takes up to 6 minute to effect the transaction. We have a tool (BMC
> Identity Management (formerly Control-SA)) that automates the transactions,
> but due to delay in the transactions are with a row of 100,000 operations
> of insert / delete to perform. I wonder if you have any way to improve the
> performance of OpenLDAP for these write operations. The OpenLDAP version is
> 2.4.40.

Do you use the term "group" actually for a node in the tree?
If yes, this sounds like a broken DIT design.

Also it seems your management client application is not able to leverage
renaming whole trees with a single modrdn request (like support in back-hdb
and back-mdb). Instead it moves user entries one by one. This is also waste of
resources.

You should seriously consider a partial re-design and another management
application.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature