[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Large user bases cause huge number of roleOccupant in role organizationalRole

To: Howard Chu <hyc@symas.com>, openldap-technical@openldap.org
Subject: Re: Large user bases cause huge number of roleOccupant in role organizationalRole
From: Huang Hongfu <huang.hongfu@adnovum.ch>
Date: Mon, 27 Mar 2017 09:30:05 +0200
In-reply-to: <47be0d40-dbb1-f9d2-838c-02de5dc811c7@symas.com>
Organization: AdNovum Informatik AG
References: <89a2f725-1d8a-c153-d338-0d82d9cf6222@adnovum.ch> <WM!3917c5769c7fe7212d93b318b4eeac97ae0bc8b8bed4ca4eed467c01869de4b41be75ed9371f412631c508a501aeb0bd!@mailstronghold-1.zmailcloud.com> <47be0d40-dbb1-f9d2-838c-02de5dc811c7@symas.com>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

Dear Howard,

Good Morning from Switzerland. Thanks for your quick reply!

I am agree with you, the schema design is wrong from the beginning. Iwould like to change it from organizationalRole (static group) to"groupOfURLs + Dynamic Lists overlay" (dynamic group).


What are your opinions or suggestions for such a migration?


Best regards

Hongfu


On 24/03/17 20:25, Howard Chu wrote:

Huang Hongfu wrote:
Hello,
In a general design, we have a role, which is an object oforganizationalRole.Within this role, let us say it will have more than 10 million users.Each
user has a roleOccupant in the role object.

You can imagine how huge this role object can be! This will cause a big
performance problem. Especially with LMDB as backend, the "add newuser" willbecome very slow at some point; and the replication will be verydifficult
even we setup a delta (with accesslog and session log) replication.
From my point of view, organizationalRole is not designed for largeuser bases.
Or someone has a better idea?
The same logic as used in indexing applies here - it is stupid todefine a case for something that matches the majority of yourpopulation. I.e., it's stupid to define a presence index on anattribute if that attribute occurs in the majority of your entries. Itis stupid to define a group or role if the majority of entries will bea member of it. A presence index is only useful if the attributeoccurs rarely. A group/role is only useful if the members are aminority of the total population.
In this case you should define a group/role for all users who *aren't*part of the majority.
Meanwhile, for people with stupid data models, performance with largeattributes in back-mdb is greatly improved in OpenLDAP 2.5.


--

Hongfu Huang, Senior System Engineer
MSc in Computer Science

We're the tech in Fintech: www.adnovum.ch/fintech


AdNovum Informatik AG
Wengistrase 7, 8005 Zurich, Switzerland
phone +41 44 272 6111, Direct: +41 44 270 5266
huang.hongfu@adnovum.ch
www.adnovum.ch

Locations: Zurich (HQ), Bern, Budapest, Ho Chi Minh City, Singapore

References:
- Large user bases cause huge number of roleOccupant in role organizationalRole
  - From: Huang Hongfu <huang.hongfu@adnovum.ch>
- Re: Large user bases cause huge number of roleOccupant in role organizationalRole
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: OpenLDAP Tutorial on YouTube Channel
Next by Date: Re: Large user bases cause huge number of roleOccupant in role organizationalRole
Index(es):
- Chronological
- Thread