Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] grouper and openldap

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] grouper and openldap

Chronological Thread 
  • From: Mark Cairney <>
  • To:
  • Subject: Re: [grouper-users] grouper and openldap
  • Date: Tue, 31 Jan 2017 08:54:37 +0000
  • Ironport-phdr: 9a23:q/G5jhRTg7+pKA6fqZSFllAdl9psv+yvbD5Q0YIujvd0So/mwa69YhyN2/xhgRfzUJnB7Loc0qyN4vymBzBLuM3b+Fk5M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe71/IRG5oAnLt8QbjoRuJrs/xxfXv3BFZ/lYyWR0KFyJgh3y/N2w/Jlt8yRRv/Iu6ctNWrjkcqo7ULJVEi0oP3g668P3uxbDSxCP5mYHXWUNjhVIGQnF4wrkUZr3ryD3q/By2CiePc3xULA0RTGv5LplRRP0lCsKMSMy/WfKgcJyka1bugqsqQFhzY7aYI+bN/Rwca3SctwYWWVMRclRWzBbD427c4cCAeoMMOBFpIf9vVsOqh6+CBGrCuz10D9IhWL90LMg3OQgCwHG2hIvHtITu3nTq9v6Lr0SUeOvwKTW1zrDbulW2THj54nIaR0uv+yDUahqfsXN00UvCgDFg0yWpIf4PD2VzvwAv3WF4+dkT+6jlXMrpgFrrjSyxMogkJfFip4Lxlzc6Cl13oI4KcemREJmYdOoCoVcuz2HO4dsX88vTWBltSAnwbMco5G7ZjIFyJE/yh7fdfOHd4+I7wr4VOmPIDd4gmxqdKi+hxap60Sv1PDzWtOu31lWtCZFj9rMumgM1xzV9MeHVuNw8lq/1TuLzQzf9PxILEAumabGKZMt2KA8moYNvUjbGy/5gkT2jKuYdkU+/eio7vzqbLL8qZ+GNI94kB/zPb4vmsylB+Q3LAgPUnOF9uuhzrHs51H2TK9Xjv01iqXZqozVJdwHpq6lBA9Yyokj6wy4Dze7yNQXg2MHIEtYeBKckYfpIUrOLev8Dfe+mFSsjCxry+7cMr3gBJXNMmbMkK3nfblj905Q1hA/ws5C6JJJWfk9J6f8QEjsrNHCSwIiPhav6+fhFNhn0I4CAySCDrLKHrnVtAqt7/gsa8KFZZUTtSe1f90s/f2opnY4g1kQbIGk0d0eYzalHaI1cA2ifXPwj4JZQi8xtQ0kQbmyhQ==


I've found that using the sortVals setting on the member attribute
significantly reduces the impact of this, as does using the mdb backend
as opposed to bdb/hdb.

From the OpenLDAP docs:

olcSortVals: <attr> [...]
Specify a list of multi-valued attributes whose values will always
be maintained in sorted order. Using this option will allow Modify,
Compare, and filter evaluations on these attributes to be performed more
efficiently. The resulting sort order depends on the attributes' syntax
and matching rules and may not correspond to lexical order or any other
recognizable order. This setting is only allowed in the frontend entry.

We're using this setting along with a couple of groups of >200K members
and although CPU spikes for about 5-10 seconds when these groups are
modified it hasn't as yet caused a service issue.

Kind regards,


On 30/01/17 16:19, Michael R Gettes wrote:
> None that I have from this quick interrogatory.
> Sorry.
> /mrg
>> On Jan 30, 2017, at 11:00 AM, Jorj Bauer
>> <>
>> wrote:
>> Thanks.
>> Any data on whether or not specific OpenLDAP back-ends made significant
>> differences?
>> -- Jorj
>> Sent from my iPhone
>>> On Jan 30, 2017, at 10:50, Michael R Gettes
>>> <>
>>> wrote:
>>> I received only a few replies. Others have run into this limitation of
>>> openldap not being able to support large static group objects. The
>>> problem is really large numbers of multi-valued attributes (not just
>>> group objects). My observation is 5 seconds to update when the group
>>> object becomes greater than 35K-40K members. Apparently, openldap has to
>>> regenerate the member/uniquemember attributes for the entire object each
>>> time. This appears to be a known issue with openldap since at least
>>> October of 2003. People have switched to using 389/sun-oracle (the
>>> iPlanet derivatives) or Active Directory. There are probably other
>>> directory servers able to support large group objects as well - but it
>>> would appear openldap and derivates have this problem.
>>> i hope this helps.
>>> /mrg
>>>> On Jan 26, 2017, at 10:22 AM, Jorj Bauer
>>>> <>
>>>> wrote:
>>>> I'd love to hear an anonymized roll-up of what you find. We're in early
>>>> days of Grouper here and are picking a new LDAP back-end to replace our
>>>> Oracle DSEE - perfect timing for us to find out what our future troubles
>>>> are going to look like...
>>>> -- Jorj
>>>>> On 01/26/2017 09:49 AM, Michael R Gettes wrote:
>>>>> Hi All,
>>>>> A few months ago there was discussion around large groups for grouper.
>>>>> I believe someone from either UCLA or Oregon State (or maybe some place
>>>>> else) indicated they had groups of 400K. Would those people kindly
>>>>> contact me off list? I have a couple of questions for you - not about
>>>>> grouper perf concerns, but about non-grouper perf concerns.
>>>>> Thank you!
>>>>> /mrg


Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh

Tel: 0131 650 6565

PGP: 0x435A9621


The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Attachment: signature.asc
Description: OpenPGP digital signature

Archive powered by MHonArc 2.6.19.

Top of Page