Discussion:
Millions of users linked into a single group
(too old to reply)
Alessandro Lasmar Mourão
2015-10-27 12:11:57 UTC
Permalink
Hello,


I wonder if there is any limitation on the number of users linked to a group groupOfUniqueNames type?

We will provide an application on the Internet for more than 10 million users, and all these users belong (uniqueMember) to a single group.

Our support reported that it is recommended that the user group should not have more than 16,000 members, this information accurate?


Regards,


Alessandro Lasmar Mourão
Howard Chu
2015-10-28 01:10:17 UTC
Permalink
Content preview: Alessandro Lasmar Mourão wrote: > Hello, > > I wonder if there
is any limitation on the number of users linked to a group > groupOfUniqueNames
type? > We will provide an application on the Internet for more than 10 million
users, > and all these users belong (uniqueMember) to a single group. > Our
support reported that it is recommended that the user group should not >
have more than 16,000 members, this information accurate? [...]

Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[69.43.206.106 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: highlandsun.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -4.2 (----)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Alessandro Lasmar Mourão wrote: > Hello, > > I wonder if there
is any limitation on the number of users linked to a group > groupOfUniqueNames
type? > We will provide an application on the Internet for more than 10 million
users, > and all these users belong (uniqueMember) to a single group. > Our
support reported that it is recommended that the user group should not >
have more than 16,000 members, this information accurate? [...]

Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[69.43.206.106 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: highlandsun.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Post by Alessandro Lasmar Mourão
Hello,
I wonder if there is any limitation on the number of users linked to a group
groupOfUniqueNames type?
We will provide an application on the Internet for more than 10 million users,
and all these users belong (uniqueMember) to a single group.
Our support reported that it is recommended that the user group should not
have more than 16,000 members, this information accurate?
As I recall, older versions of M$ Active Directory had a size limit of 16384
members. Maybe other directory servers did as well. No such limit exists in
OpenLDAP. Note that use of uniqueMember is discouraged in LDAP, you should
just use member.

In slapd you should configure sortvals on the member attribute to have
reasonable comparison speeds on lookups and modifications for such a large
attribute.

Generally it's a bad idea to use static groups of this size, you're better off
using a dynamic group instead.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Michael Ströder
2015-10-28 08:58:54 UTC
Permalink
Post by Howard Chu
Post by Alessandro Lasmar Mourão
I wonder if there is any limitation on the number of users linked to a group
groupOfUniqueNames type?
We will provide an application on the Internet for more than 10 million users,
and all these users belong (uniqueMember) to a single group.
Our support reported that it is recommended that the user group should not
have more than 16,000 members, this information accurate?
As I recall, older versions of M$ Active Directory had a size limit of 16384
members. Maybe other directory servers did as well. No such limit exists in
OpenLDAP. Note that use of uniqueMember is discouraged in LDAP, you should
just use member.
In slapd you should configure sortvals on the member attribute to have
reasonable comparison speeds on lookups and modifications for such a large
attribute.
Generally it's a bad idea to use static groups of this size, you're better off
using a dynamic group instead.
Very true.

I'd also ask for the real requirements:
Do you really need a group 'all users'?
Because if any authenticated user is always member of this group anyway you
can design your access control rules simply with "grant right X to all
authenticated users" instead of "grant right X to group 'all users'".

And especially *all* client developers have to handle such a big group
reasonably, which means at least:
1. Don't read the whole group entry to determine group membership.
2. Don't maintain group membership by writing all member values at once.
Experience shows that you have to make this clear to developers. :-(

Also you have to take care about stablereplication. AFAICT you should use
delta-syncrepl and may have to adjust sockbuf_max_incoming_auth (see
slapd.conf(5)).

Ciao, Michael.
julien soula
2015-10-28 16:23:35 UTC
Permalink
Post by Howard Chu
OpenLDAP. Note that use of uniqueMember is discouraged in LDAP, you should
just use member.
I didn't know it ? Have you some links that explain why ?

sincerly,
--
Julien
<< Vous n'avez rien a dire... Parlons-en! >>
Dieter Klünter
2015-10-28 18:50:55 UTC
Permalink
On Wed, Oct 28, 2015 at 01:10:17AM +0000, Howard Chu wrote: > > OpenLDAP.
Note that use of uniqueMember is discouraged in LDAP, you > > should just
use member. > > I didn't know it ? Have you some links that explain why ?
[...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: univ-lille2.fr]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Am Wed, 28 Oct 2015 17:23:35 +0100
Post by Howard Chu
OpenLDAP. Note that use of uniqueMember is discouraged in LDAP, you
should just use member.
I didn't know it ? Have you some links that explain why ?
How would you provide uniqueness?
See RFC-4519, section 2.40

-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Pedro Roger
2015-10-28 01:09:34 UTC
Permalink
Alessandro,

All i can say is that in our directory we have 18848 users in a single
group and no problems so far.
Maybe someone else would reply about a upper boundary of groupOfUniqueNames.

2015-10-27 9:11 GMT-03:00 Alessandro Lasmar Mourão <
Post by Alessandro Lasmar Mourão
Hello,
I wonder if there is any limitation on the number of users linked to a
group groupOfUniqueNames type?
We will provide an application on the Internet for more than 10 million
users, and all these users belong (uniqueMember) to a single group.
Our support reported that it is recommended that the user group should not
have more than 16,000 members, this information accurate?
Regards,
Alessandro Lasmar Mourão
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Pedro Roger Magalhães Vasconcelos
http://www.proger.eti.br
Michael Ströder
2015-10-28 15:18:40 UTC
Permalink
Post by Pedro Roger
All i can say is that in our directory we have 18848 users in a single
group
This is fairly small.
Post by Pedro Roger
and no problems so far.
The original poster asked about 10 million group members which is more than
*500* times more than what you have.
Post by Pedro Roger
Maybe someone else would reply about a upper boundary of groupOfUniqueNames.
In theory there is no limit. In practice one will have to carefully deal with
such a big group entry.

Ciao, Michael.
Post by Pedro Roger
2015-10-27 9:11 GMT-03:00 Alessandro Lasmar Mourão <
Post by Alessandro Lasmar Mourão
Hello,
I wonder if there is any limitation on the number of users linked to a
group groupOfUniqueNames type?
We will provide an application on the Internet for more than 10 million
users, and all these users belong (uniqueMember) to a single group.
Our support reported that it is recommended that the user group should not
have more than 16,000 members, this information accurate?
Regards,
Alessandro Lasmar Mourão
Loading...