Hi,
In Oracle Unified Directory (ver 11.1.2.3), the user - group structure will look like as shown below:
<base-DN>
|__ou=people (1 million users grouped under departments)
|__cn=testuser1
|__cn=testuser2
....
....
|__ou=groups (200 groups)
|__cn=group-1
|__cn=group-2
....
....
All the groups are considered as "Static Groups". The group membership is managed by Java application.
Some groups may have 1 million user membership.
The Java applications deployed in WebLogic (ver 12.1.3) are configured with "Declarative Security".
From WebLogic admin console, OUD instance will be connected for "Authentication Provider" and is used for user authentication and authorization.
After successful user authentication, WebLogic has to build the logged-in user's subject and the list of principals (group CNs in which the current user is a member of).
Question:
- Whether the authorization process has to traverse all the available groups (some may have 1 million membership) to identify the list of groups in which the user is a member of?
- Whether the group membership of the current user will be retrieved based on the attribute "isMemberOf" in user entry? In such case, whether traversing through all the groups (with 1 million user membership) to identify the current user's membership?
- Will there be any performance impact, if we have 1 million user membership in a single static group in OUD, during WebLogic user authentication and authorization process?
- Is there any solution (other than adding sufficient indexes) to resolve such performance issue?
Thanks,
Mahe