TOn 12/22/2014 10:38 AM, Andrew Holway wrote:
So I am looking at ways of building a distributed user database for
millions of users (specifically 5 million at the moment) and I am
thinking that freeIPA might be a good thing to test for this kind of
use case. I would assume that at least a third of these users would
want to authenticate every day however updates of data held in the
database would probably be quite rare.
We need to have endpoints in a few regions and the Multi Master
Replication would take care of the back end problem for us quite well.
Does anyone have any data on using freeIPA for this kind of thing.
What would be the caveats?
LDAP will be able to handle this amount of data however there are
several recommendation other than what you can find here:
1. User account creation and modification.
If users are enrolled automatically and is expected to operate right
away after the account is created you need to make sure you understand
the latency of the LDAP replication.
Think about keeping affinity to a single server for the first user
session. For modifications consider also keeping affinity to a separate
server and not allow modifications to random replicas.
This approach will prevent random failures and negative user experience
due to replication latency.
It is not an IPA recommendation BTW but rather a general LDAP related
2. Make sure you have enough replicas but not too many. You would need
to test your environment depending on the number of data centers across
the globe and how users are distributed around the world.
Seems like a big project for some kind of online community. Any chance
you can share more details?
We would not be surprised if there would be issues as you ramp up the
To address environments like this we plan to change LDAP DB from BDB to
MDB some time next year.
I suspect that as you grow your environment over time you should
consider upgrading to the version that would implement this change.
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project