> On Jun 25, 2017, at 10:34 AM, Yudhi Karunia Surtan <[email protected]> > wrote: > > did someone ever tried to use fortress and having ldap entries for around > > 10 million entries? > i'm curious if fortress able to handle so many entries below ou=people. > honestly, i'm newbie in ldap and did some experiment that AccessMgr will > get timeout when ou=people filled so many entries. > i don't think increasing the timeout is the solution, more entries mean > will also increase the timeout setting later.
Yudhi, I just loaded up 1M users and there are no performance degradations. It took about 20 minutes to create the users, longer to assign each user 10 roles. No surprise there, LDAP is made for this. Of course the indexes need to be in place, which if you follow the default setup for OpenLDAP they will be. There is a caveat, fortress supports two way user-role assignments. That is the role attribute is stored on user object, and the user membership is on the Role object. The latter is to be compatible with non-rbac implementations that use traditional group membership lookups for access control. The problem is when group have large numbers of users, i.e. 10’s of thousands, performance degrades on the edits of those objects. Strictly speaking fortress doesn’t need to associate user membership with roles, for its RBAC controls, so I am going to add a option to disable, with config switch. Something along the lines of: role.occupants = false <— disable role-to-user mapping role.occupants = true <— enable role-to-user mapping To load the 1M users: https://github.com/apache/directory-fortress-core/blob/master/src/test/java/org/apache/directory/fortress/core/samples/LoadTestUserSample.java This class is still a little rough around the edges, and needs some work, but if you want to try it let me know and we’ll get it cleaned up. Thanks, Shawn
