Grouper Developers Forum

[Tom Barton <>]

Steve Edgar wrote:
> We looked into singleton pairs because of limitations we found with 
> existing directory schema when trying to get fast query response times, 
> scalable support for private groups, and support for very large groups.  
> Singleton pairs is the only thing we've found so far which does all 3 of 
> these.
>
> Static groups easily allows scalable private groups, but we found the 
> directory server does not like large numbers of multi-valued 
> attributes.  Query response time decreases as static group size 
> increases.  Very large groups (over about 85K members if you are using 
> EPPN entries), will not load, are super slow.
>
> Using isMemberOf under uid entries allows for fast query response times, 
> but we do not have a scalable way to allow for private groups.  If 
> someone knows a good way to do this, we are quite interested.

Here's another way, though I have no experience with it. Use entries 
subordinate to each member's entry to list their private memberships, 
with one subordinate entry for each distinct read priv pertaining to the 
member's memberships. Ie, stripe the LDAP entries by read priv rather 
than by membership. If the number of distinct read privs in use is less 
than the number of memberships, this results in fewer LDAP entries to 
maintain.

For example, if uid=se10 belongs to a set of groups, and between them 
there are, say, two read priv values, GrouperAll and 
example:admin:it:sysadmins, then a sketch of the relevant entries looks like

dn:cn=se10-GrouperAll,uid=se10,ou=people,dc=example,dc=edu
isMemberOf: example:group1
isMemberOf: example:group2
cornelledugroupreadpriv: GrouperAll
cn:se10-GrouperAll

dn:cn=se10-example:admin:it:sysadmins,uid=se10,ou=people,dc=example,dc=edu
isMemberOf: example:group3
isMemberOf: example:group4
cornelledugroupreadpriv: example:admin:it:sysadmins
cn:se10-example:admin:it:sysadmins

Just a thought to stimulate further thought.

Tom
begin:vcard
fn:Tom Barton
n:Barton;Tom
org:University of Chicago;Networking Services & Information Technology
adr;dom:1155 E. 60th St.;;Rm 309, 1155 Bldg;Chicago;IL;60637
email;internet:
title:Sr. Director - Integration
tel;work:+1 773 834 1700
version:2.1
end:vcard