grouper-users - Re: [grouper-users] grouper and openldap
Subject: Grouper Users - Open Discussion List
List archive
- From: Jorj Bauer <>
- To: Mark Cairney <>
- Cc: <>
- Subject: Re: [grouper-users] grouper and openldap
- Date: Tue, 31 Jan 2017 07:52:47 -0500
- Ironport-phdr: 9a23:L6wpgh3XttzUHimwsmDT+DRfVm0co7zxezQtwd8ZseIXKfad9pjvdHbS+e9qxAeQG96Kt7Qa1qGN4ujJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fdbghMizexe7J/IRW5oQjfssQdnJdvJLs2xhbVuHVDZv5YxXlvJVKdnhb84tm/8Zt++ClOuPwv6tBNX7zic6s3UbJXAjImM3so5MLwrhnMURGP5noHXWoIlBdDHhXI4wv7Xpf1tSv6q/Z91SyHNsD4Ubw4RTKv5LpwRRT2lCkIKSI28GDPisxxkq1bpg6hpwdiyILQeY2ZKeZycr/Ycd4cWGFPXNteVzZZD4ygYIQBEuoPM+FaoIfzqFUArhW+CxetBO701j9In3r20bE60+g9Dw3L2hErEdIUsHTTqdX4LKMcUeevzKnK0D7OculZ2Srj54jSbxsspvOMXbVqccrT0kQvCx3KjlCIqYzhITyZzPoCvHWG7+d5U++klm0pqxlprzSyxsohipPFipwax13G7yl13Yc4KNyiREJmYNOpFINcuzyGO4dsQc4uX3tktDgnxrAEo5K3YiYHxIg/yxLCa/GKc5KE7gzsWeuTOzt0mXNodbClixqv9UWs1uvxXdSu3llQtCpKiNzMu2gN1xPN7siHTeNw/ka52TqS1gDT7PtIIVwqmqreM54hxqA/moANvkveAy/6gET2jKmIeUU44uWk9uTqb7X8qpOCOIJ5iBvyPrkvl8G+G+g0LwkDUmyD9eS5zrLj/En5QLtQjv0xl6nUqJLaJcMBpq67GAJVzpgs6xOnDzeiztsUh2cII09YeB6flYjmJ0nOIOzkDfe4m1msny1rx/fbPr35HJrNNGHPkKr6fblj8U5c0xE+zdRe55JPFrEBO+z/VlXwtNzeEh82LRa0w+D5B9VhyI8SQ3yADbKEMPCajVjdw+s1IKGnbY4PvjvsY6wA7uTty1QwmEUbcLiB0JdRYXv+A/cwcGuDZn+5oNAbEy8gtxczVqS+ilqYUxZPanOqW6966z0mXtH1RbzfT5yg1eTSlBywGYdbMyUfUgiB
Thanks Mark!
Sent from my iPhone
> On Jan 31, 2017, at 03:54, Mark Cairney
> <>
> wrote:
>
> Hi,
>
> I've found that using the sortVals setting on the member attribute
> significantly reduces the impact of this, as does using the mdb backend
> as opposed to bdb/hdb.
>
> From the OpenLDAP docs:
>
> olcSortVals: <attr> [...]
> Specify a list of multi-valued attributes whose values will always
> be maintained in sorted order. Using this option will allow Modify,
> Compare, and filter evaluations on these attributes to be performed more
> efficiently. The resulting sort order depends on the attributes' syntax
> and matching rules and may not correspond to lexical order or any other
> recognizable order. This setting is only allowed in the frontend entry.
>
> We're using this setting along with a couple of groups of >200K members
> and although CPU spikes for about 5-10 seconds when these groups are
> modified it hasn't as yet caused a service issue.
>
> Kind regards,
>
> Mark
>
>> On 30/01/17 16:19, Michael R Gettes wrote:
>> None that I have from this quick interrogatory.
>>
>> Sorry.
>>
>> /mrg
>>
>>> On Jan 30, 2017, at 11:00 AM, Jorj Bauer
>>> <>
>>> wrote:
>>>
>>> Thanks.
>>>
>>> Any data on whether or not specific OpenLDAP back-ends made significant
>>> differences?
>>>
>>> -- Jorj
>>>
>>> Sent from my iPhone
>>>
>>>> On Jan 30, 2017, at 10:50, Michael R Gettes
>>>> <>
>>>> wrote:
>>>>
>>>> I received only a few replies. Others have run into this limitation of
>>>> openldap not being able to support large static group objects. The
>>>> problem is really large numbers of multi-valued attributes (not just
>>>> group objects). My observation is 5 seconds to update when the group
>>>> object becomes greater than 35K-40K members. Apparently, openldap has
>>>> to regenerate the member/uniquemember attributes for the entire object
>>>> each time. This appears to be a known issue with openldap since at
>>>> least October of 2003. People have switched to using 389/sun-oracle
>>>> (the iPlanet derivatives) or Active Directory. There are probably other
>>>> directory servers able to support large group objects as well - but it
>>>> would appear openldap and derivates have this problem.
>>>>
>>>> i hope this helps.
>>>>
>>>> /mrg
>>>>
>>>>> On Jan 26, 2017, at 10:22 AM, Jorj Bauer
>>>>> <>
>>>>> wrote:
>>>>>
>>>>> I'd love to hear an anonymized roll-up of what you find. We're in early
>>>>> days of Grouper here and are picking a new LDAP back-end to replace our
>>>>> Oracle DSEE - perfect timing for us to find out what our future
>>>>> troubles are going to look like...
>>>>>
>>>>> -- Jorj
>>>>>
>>>>>
>>>>>> On 01/26/2017 09:49 AM, Michael R Gettes wrote:
>>>>>> Hi All,
>>>>>>
>>>>>> A few months ago there was discussion around large groups for grouper.
>>>>>> I believe someone from either UCLA or Oregon State (or maybe some
>>>>>> place else) indicated they had groups of 400K. Would those people
>>>>>> kindly contact me off list? I have a couple of questions for you -
>>>>>> not about grouper perf concerns, but about non-grouper perf concerns.
>>>>>>
>>>>>> Thank you!
>>>>>>
>>>>>> /mrg
>>>>>>
>>>>
>>
>>
>
> --
> /****************************
>
> Mark Cairney
> ITI Enterprise Services
> Information Services
> University of Edinburgh
>
> Tel: 0131 650 6565
> Email:
>
> PGP: 0x435A9621
>
> *******************************/
>
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
>
- [grouper-users] grouper and openldap, Michael R Gettes, 01/26/2017
- Re: [grouper-users] grouper and openldap, Jorj Bauer, 01/26/2017
- Re: [grouper-users] grouper and openldap, Michael R Gettes, 01/30/2017
- Re: [grouper-users] grouper and openldap, Jorj Bauer, 01/30/2017
- Re: [grouper-users] grouper and openldap, Michael R Gettes, 01/30/2017
- Re: [grouper-users] grouper and openldap, Mark Cairney, 01/31/2017
- Re: [grouper-users] grouper and openldap, Jorj Bauer, 01/31/2017
- Re: [grouper-users] grouper and openldap, Mark Cairney, 01/31/2017
- Re: [grouper-users] grouper and openldap, Michael R Gettes, 01/30/2017
- Re: [grouper-users] grouper and openldap, Jorj Bauer, 01/30/2017
- Re: [grouper-users] grouper and openldap, Michael R Gettes, 01/30/2017
- Re: [grouper-users] grouper and openldap, Jorj Bauer, 01/26/2017
Archive powered by MHonArc 2.6.19.