Re: ADAM schema design
- From: Amol <amol4321@xxxxxxxxx>
- Date: Thu, 20 Sep 2007 22:16:26 -0700
Thanks for your response... but on your last point of using range
retrival techniques for groups with 1500+ users - I'm not sure I quite
followed you, so pls bear with me here -
As I mentioned earlier, I can understand the impact while trying to
retrieve the list members of this large group or lookup within a grp.
but -
1. Do you think having large # of users in a group may affect the real-
time appl calls for user's group membership info? based on the
memberOf attr of user obj.
2. So do you think that during the administrative fucntions like
assign grp membership (add user to group as member) would get the
performance hit?
Thanks,
Amol
On Sep 20, 11:27 pm, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I've never played with groupOfNames, but I thought I'd point out that ADAM
groups are not Windows security principals and have no effect on Windows
security at all. They are security principals in ADAM only (so they can be
used in ADAM ACLs and it will understand them).
One possible advantage of using group instead of groupOfNames is that you
might be able to get nested group membership via tokenGroups. I'm not sure
if groupOfNames supports that. If group membership will be nested, that is
a handy convenience feature as you would not have to recursively expand
through memberOf (ADAM will basically do it for you).
I'm not sure if putting millions of users in a group will work. I've never
heard of anyone trying to do that at that scale. I think you might be
better off building some sort of query-based group management function where
you set attributes on the user to indicate their group memberships and
determine membership dynamically (like the feature provided by the MS AzMan
framework). However, you could certainly try it and see.
Note that if you have more than 1500 members in a group, you'll need to use
range retrieval techniques to expand the membership (reading member on the
group object) if you ever need to do that.
Best of luck!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--<amol4...@xxxxxxxxx> wrote in message
news:1190301118.076596.311360@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm really impressed to see the discussions on group / groupOfNames /
groupOfUniqueNames on this forum.
This is my first post in here and would really appretiate if you could
respond to it with your guidance.
We need to use ADAM as the WMM store for WebSphere Portal Server 6.0
which would essentially use ADAM for user authorization based on the
group memberships. we have decided to use "groupOfNames" as we purely
want to use these objects as application/functional groups and not
windows sec principles.
I'm looking your guidance on the following scenario:
Where we are expected to have million+ users in a single group; which
means the million DN entries in "member" attribute of group object
- Firstly how is it going to affect the user authorization calls made
from portal to ADAM? (I believe, it should not as it should ideally
lookup for user object and return the "memberOf" list back to the
portal") but I would appritiate your thought on this.
- Secondly, how does this impact the group management functions where
I need to add / delete any users from this large group?
Amol.- Hide quoted text -
- Show quoted text -
.
- Follow-Ups:
- Re: ADAM schema design
- From: Joe Kaplan
- Re: ADAM schema design
- References:
- ADAM schema design
- From: amol4321
- Re: ADAM schema design
- From: Joe Kaplan
- ADAM schema design
- Prev by Date: Re: Disaster recovery 1st AD server
- Next by Date: Re: Aquisition now what?
- Previous by thread: Re: ADAM schema design
- Next by thread: Re: ADAM schema design
- Index(es):
Relevant Pages
|
Loading
