Re: ADAM schema design
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 21 Sep 2007 10:33:04 -0500
First, let me explain range retrieval.
In AD or ADAM, the directory service will limit the number of attribute
values returned by default in a multivalued attribute. If a multivalued
attribute has more than 1500 values, the DS will only return the first 1500.
Thus, if you had a group with a member attribute that contains 200K values
and did a base search on the object to read the member attribute, you won't
get a member attribute with 200K values, you'll get the first 1500 by
default. If you want to get the rest, there is a special syntax for the
attribute name used to request "ranges" of the value. It looks like
"member;x-y" or "member;x-*" where X is the start range and y is the end.
You can specify * for the end range value as well and the maximum number of
values allowed by the policy will be returned.
As such, you may need to do many many searches to read the group membership
of a group that contains a lot of values.
Regarding your questions on performance, I have no idea how the directory
will perform if you are talking about putting millions of objects in a
group. My understanding is that there is no actual limit to the number of
values allowed in a linked attribute anymore (there uses to be, but now
there isn't). However, from a practical standpoint I've never heard of
anyone scaling group membership this big. I highly recommend you set up
some real world tests where you try it out and see.
Theoretically, memberOf should continue to perform just fine. If individual
objects are not members of thousands of groups, then you won't have to worry
about range retrieval for them. If you aren't worried about nesting, then
memberOf will work just fine by itself.
As to whether operations like Compare and modify operations like Add and
Delete will perform ok with millions of attribute values, I have no idea. I
have a feeling like you won't like the results (the reason I recommended
considering a query-based approach for group membership if possible), but
I've never heard of anyone actually doing this so I really don't know what
to expect either way.
Good luck!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Amol" <amol4321@xxxxxxxxx> wrote in message
news:1190351786.636228.145580@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks for your response... but on your last point of using range
retrival techniques for groups with 1500+ users - I'm not sure I quite
followed you, so pls bear with me here -
As I mentioned earlier, I can understand the impact while trying to
retrieve the list members of this large group or lookup within a grp.
but -
1. Do you think having large # of users in a group may affect the real-
time appl calls for user's group membership info? based on the
memberOf attr of user obj.
2. So do you think that during the administrative fucntions like
assign grp membership (add user to group as member) would get the
performance hit?
Thanks,
Amol
On Sep 20, 11:27 pm, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I've never played with groupOfNames, but I thought I'd point out that
ADAM
groups are not Windows security principals and have no effect on Windows
security at all. They are security principals in ADAM only (so they can
be
used in ADAM ACLs and it will understand them).
One possible advantage of using group instead of groupOfNames is that you
might be able to get nested group membership via tokenGroups. I'm not
sure
if groupOfNames supports that. If group membership will be nested, that
is
a handy convenience feature as you would not have to recursively expand
through memberOf (ADAM will basically do it for you).
I'm not sure if putting millions of users in a group will work. I've
never
heard of anyone trying to do that at that scale. I think you might be
better off building some sort of query-based group management function
where
you set attributes on the user to indicate their group memberships and
determine membership dynamically (like the feature provided by the MS
AzMan
framework). However, you could certainly try it and see.
Note that if you have more than 1500 members in a group, you'll need to
use
range retrieval techniques to expand the membership (reading member on
the
group object) if you ever need to do that.
Best of luck!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"http://www.directoryprogramming.net
--<amol4...@xxxxxxxxx> wrote in message
news:1190301118.076596.311360@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm really impressed to see the discussions on group / groupOfNames /
groupOfUniqueNames on this forum.
This is my first post in here and would really appretiate if you could
respond to it with your guidance.
We need to use ADAM as the WMM store for WebSphere Portal Server 6.0
which would essentially use ADAM for user authorization based on the
group memberships. we have decided to use "groupOfNames" as we purely
want to use these objects as application/functional groups and not
windows sec principles.
I'm looking your guidance on the following scenario:
Where we are expected to have million+ users in a single group; which
means the million DN entries in "member" attribute of group object
- Firstly how is it going to affect the user authorization calls made
from portal to ADAM? (I believe, it should not as it should ideally
lookup for user object and return the "memberOf" list back to the
portal") but I would appritiate your thought on this.
- Secondly, how does this impact the group management functions where
I need to add / delete any users from this large group?
Amol.- Hide quoted text -
- Show quoted text -
.
- Follow-Ups:
- Re: ADAM schema design
- From: Dmitri Gavrilov [MSFT]
- Re: ADAM schema design
- References:
- ADAM schema design
- From: amol4321
- Re: ADAM schema design
- From: Joe Kaplan
- Re: ADAM schema design
- From: Amol
- ADAM schema design
- Prev by Date: Re: remove deny permissions
- Next by Date: Re: Windows 2003 print server help
- Previous by thread: Re: ADAM schema design
- Next by thread: Re: ADAM schema design
- Index(es):
Relevant Pages
|
