LDAP DIT:
Hi
I have a current setup of which i have an LDAP server which has about 80,000 entries(o=xxxxx.xom) in it. Again we have around 2000 individual DS instances,each with around 500 entries(ou=srv0001,o=xxxxx.com).All the Servers are on individual boxes.All are Sun ONE 5.2sp4 version on AIX and are under a suffix o=xxxxxx.com
Now we want to have a Central LDAP which has the entire data...including the data of 2000 Servers and also the 80,000 entries.
We want to have each individual Server data under an OU
in the Central LDAP in the following way:
ou=srv9000,o=xxxxx.com80,000 entries
ou=srv0001,o=xxxxx.com
ou=srv0002,o=xxxxx.com
--
ou=srv2000,o=xxxxx.com
the first ou=9000 has all the 80,000 entries and the rest of the Data in each OU's(ou=srv0001for Server.NO.1,ou=srv0002 for serve.NO.2 and so on till ou=srv2000 for server.NO.2000)
So my First question is it suggestible to have around 2000+ OU's on a single DS instance ?because from the volume point of view...we have around 1.1 entires which should be fine for a DS instance.Would this kind of DIT be good from the Performance point of view?
Again We have around 15-20 static groups(with same cn in all 2000 Servers,but with different entries) defined in each of the 2000 Servers.
So would it be possible for me to have a Dynamic Group with an LDAP filter on "nsroledn" attribute as static groups can only have around 20.000 entries?Suggestions on this would be really Appreciated...
Regards
# 1
So my First question is it suggestible to have around 2000+ OU's on a single DS instance ?because from the volume point of view...we have around 1.1 entires which should be fine for a DS instance.Would this kind of DIT be good from the Performance point of view?
my response : from experience : should not impact. As long as you set yr allidthreshold to ensure the value is enough to accomodate for all child objects under root context
So would it be possible for me to have a Dynamic Group with an LDAP filter on "nsroledn" attribute as static groups can only have around 20.000 entries?
my respnse: not sure what u are trying to accomplish with this.. so if u could explain some more
prem
# 2
Hi,
As far as I know there is no performance issue with having many OUs and entries underneath. The level of performance from the Directory Server is more tied to the amount of memory available and the efficiency of the disks.
Now with regards to your second question on dynamic groups, it is not a good idea to mix dynamic groups and nsRoleDN as Roles are already a grouping mechanism, so they would be redundant.
So I would suggest that you only consider Roles (and the different types of Roles: managed, filtered...). Operations for retrieving member lists, checking membership and ACIs will become simple and consistent.
Regards,
Ludovic.
# 3
Thanks for your replies:
Prem,
In the current setup,on each server of the 2000 Individual servers we have, around 20 static groups were defined, each with some entries and these groups have same "cn" in all the 2000 servers.So as you know we are planing to have all this data in a central LDAP, and continuouing with the existing setup would create around
(2000*20) groups in the central LDAP, which would be a hard thing to manage all those groups.
So we thought we would go for a central group(one for each of the 20 groups) under the main suffix .But with this approach the things is that we cant go for Static groups as the no.of entries in each group are going to be greater than 20,000.So we have to go for the Dynamic groups option.
But for this again we dont have any certain attributes based on which we can create the Dynamic groups,as we have been adding members to the static groups manually in the current setup. So that is the reason why i was planning to create some Roles and then create Dynamic groups based on the Roles defined..
Anyways the good thing is that they are planning to change the whole DIT in the central LDAP after having these many issues.thanks for your replies once again.
# 4
Or you may want to upgrade to Directory Server 6.0 which includes some major improvements with regards to static group scalability and we've been tested it with very large static groups (over 100,000 members).Regards,Ludovic.
# 5
ludovcip,Message was edited by: anandkaturiMessage was edited by: anandkaturi
# 6
ludovcip,
Wat would be the best DIT structure tht would be able to answer three question?
1)Who all associates belong to a certain OU?
2)Associates belonging to a group irrespective of the OU's they belong to?(Each OU has around 20 static Groups and the members of this group are the entries in that particular OU...like this we have groups in all the 2000 OU's.....The name of the group in all the OU's is same.
3)Given a userid,What Groups does he belong to?
I have two DIT designs in idea and i would like you to suggest the best DIT that can perform the Search operation on the above said three questions in the best way?The options are as follows:
Option-1:
Adding the 2000 OU's(ldif's from the 2000 Individual Servers ) to the Central LDAP and maintain the current setup?But again i have around 20 groups in each of the OU's...I cannot have a Central Dynamic Group witht the Current System as the groups are static and the members are above 20,000 in each group.
So i have the only option of creating a Role and then creating Dynamic Roles based on this " nsrole" attribute...I know that u said that it is not a good idea to go that. I dont have any other option left out?.
option-2:
Create a DIT as follows:
ou=people,dc=xxxxxx,dc=com, contains all the entries from the corporate and store entries
then under "ou=groups,,dc=xxxxxx,dc=xom" i will create dynamic Groups. For question 1,i can do this as i have an attribute "locationnumber" .But i dont have any special attribute for the groups in the OU to define a central Dynamic Group under the Root.
And Finally is there a way to findout the groups a member belongs to when u search on the userid?
Please let me know the answers for this...i would really appreciate if you can do this...
Regards
# 7
Directory Server 6.0 includes a new feature which allows to read a user entry and retrieve all the (static) groups a user is member of.
This is done through the operational attribute : isMemberOf.
The nsRole does the same thing for Roles, independantly of the type of Roles (managed, filtered or nested).
nsRole can also be used in a search filter, so you can find all users that have a specific role.
Note that you cannot create a new (dynamic) role based on the nsRole which is itself an operational attribute that reflects all the roles a user is in.
You may want to read the Directory Server Deployment Guide, The Directory Information Tree chapter, Grouping Directory Entries... section for more information between groups and roles.
<http://docs.sun.com/source/817-5218/dit.html#wp19922>
Regards,
Ludovic
# 8
Thanks for you prompt answers...we are looking out for the option of going to 6.0 as you said...Regards
