Skip to Main Content

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

OUD - User and Group Mapping - Performance Impact

MaheOraOct 10 2017 — edited Oct 30 2017

Hi,

In Oracle Unified Directory (ver 11.1.2.3), the user - group structure will look like as shown below:

<base-DN>

|__ou=people (1 million users grouped under departments)

     |__cn=testuser1

     |__cn=testuser2

....

....

|__ou=groups (200 groups)

     |__cn=group-1

     |__cn=group-2

....

....

All the groups are considered as "Static Groups". The group membership is managed by Java application.

Some groups may have 1 million user membership.

The Java applications deployed in WebLogic (ver 12.1.3) are configured with "Declarative Security".

From WebLogic admin console, OUD instance will be connected for "Authentication Provider" and is used for user authentication and authorization.

After successful user authentication, WebLogic has to build the logged-in user's subject and the list of principals (group CNs in which the current user is a member of).

Question:

  1. Whether the authorization process has to traverse all the available groups (some may have 1 million membership) to identify the list of groups in which the user is a member of?
  2. Whether the group membership of the current user will be retrieved based on the attribute "isMemberOf" in user entry? In such case, whether traversing through all the groups (with 1 million user membership) to identify the current user's membership?
  3. Will there be any performance impact, if we have 1 million user membership in a single static group in OUD, during WebLogic user authentication and authorization process?
  4. Is there any solution (other than adding sufficient indexes) to resolve such performance issue?

Thanks,

Mahe

This post has been answered by handat on Oct 29 2017
Jump to Answer

Comments

handat

The question is, what is the filter you have specified in the weblogic authenticator to search for the groups? How are your groups defined? Are they really static groups or actually dynamic groups? What is the objectclass you are using for your groups? Have you considered caching the group results in weblogic or in OUD?

MaheOra

Hi @"handat",

Please refer below for the answers to your questions:

  • what is the filter you have specified in the weblogic authenticator to search for the groups?
    • Group from Name filter: (|(&(cn=%g)(objectclass=groupOfUniqueNames))(&(cn=%g)(objectclass=groupOfURLs))
  • How are your groups defined? Are they really static groups or actually dynamic groups?
    • Static groups. The user-group membership is programmatically added/removed from Java application
  • What is the objectclass you are using for your groups?
    • groupOfUniqueNames
  • Have you considered caching the group results in weblogic or in OUD?
    • No

Thanks,

Mahe

MaheOra

Hi @"handat",

Can you please provide your thoughts on this discussion?

Thanks,

Mahe

handat
Answer

With the latest improvement in PS3, this should not be a problem as it is supposed to be able to handle this. You should read the following article http://www.ateam-oracle.com/oud-11gr2ps3-very-large-static-groups/  about large static groups. However, you might want to enable group caching in the provider if it fits your use case.

Marked as Answer by MaheOra · Sep 27 2020
1 - 4
Locked Post
New comments cannot be posted to this locked post.

Post Details