From: "Douglas B. Jones" <[EMAIL PROTECTED]> Date: Wed, 24 Jan 2007 15:34:33 -0500
I am posting this to the UMICH ldap list, for I think this is more general list vs. posting it to openldap list. Apologies if I am posting this to the wrong list. I am looking into if it is better to use an attribute or a group (groupofuniqnames) for maintaining a list of people in a certain group. If I have a group, say projectaccess, and I want to put maybe 2000 users in that group. Would it be better to have dn:uid=userA,dc=xyz,dc=com cn:UserA Doe ... projectaccess=1 dn:uid=userB,dc=xyz,dc=com cn:UserB Smith ... projectaccess=1 dn:uid=userC,dc=xyz,dc=com cn:UserC Jones ... projectaccess=0 Or: ou=Groups,dc=xyz,dc=com ou: Groups objectClass: organizationalUnit dn:cn=projectaccess,dc=xyz,dc=com objectClass:groupofUniqnames objectClass:posixGroup uid=userA,dc=xyz,dc=com uid=userB,dc=xyz,dc=com cn:projectaccess
What are the pros/cons of the two ways listed above from the point of ldap (we use openldap) handling them to looking at it pragmatically (programming code). Thanks!
Your question isn't clearly stated but I think you're asking about the pros and cons of static groups (where all of the members of a group are explicitly listed in a group entry) vs dynamic groups (where the membership in a group is determined by particular attributes of each member entry).
In the specific case of OpenLDAP access controls, there's not much difference, both are cached the same so ultimately they have the same performance.
In the general case, it depends on how your applications will be using them. If they regularly need to retrieve the entire member list, it may be more efficient to use a static group. If getting the entire member list is an infrequent requirement, and you're more often only going to be doing a compare operation to check if a particular ID is a member of the group, then a dynamic group may be better. As the number of members increases, the single-member comparison for a static group gets more expensive, while for a dynamic group it's always a constant cost. The converse is also true - as the number of members increases, getting the complete member list gets more expensive for a dynamic group, whereas for a static group the cost is a constant.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
