Discussions
Categories
- 17.9K All Categories
- 3.4K Industry Applications
- 3.4K Intelligent Advisor
- 73 Insurance
- 537.3K On-Premises Infrastructure
- 138.6K Analytics Software
- 38.6K Application Development Software
- 6K Cloud Platform
- 109.6K Database Software
- 17.6K Enterprise Manager
- 8.8K Hardware
- 71.2K Infrastructure Software
- 105.3K Integration
- 41.6K Security Software
OUD - User and Group Mapping - Performance Impact
Hi,
In Oracle Unified Directory (ver 11.1.2.3), the user - group structure will look like as shown below:
<base-DN>|__ou=people (1 million users grouped under departments) |__cn=testuser1 |__cn=testuser2........|__ou=groups (200 groups) |__cn=group-1 |__cn=group-2........
All the groups are considered as "Static Groups". The group membership is managed by Java application.
Some groups may have 1 million user membership.
The Java applications deployed in WebLogic (ver 12.1.3) are configured with "Declarative Security".
From WebLogic admin console, OUD instance will be connected for "Authentication Provider" and is used for user authentication and authorization.
After successful user authentication, WebLogic has to build the logged-in user's subject and the list of principals (group CNs in which the current user is a member of).
Question:
- Whether the authorization process has to traverse all the available groups (some may have 1 million membership) to identify the list of groups in which the user is a member of?
- Whether the group membership of the current user will be retrieved based on the attribute "isMemberOf" in user entry? In such case, whether traversing through all the groups (with 1 million user membership) to identify the current user's membership?
- Will there be any performance impact, if we have 1 million user membership in a single static group in OUD, during WebLogic user authentication and authorization process?
- Is there any solution (other than adding sufficient indexes) to resolve such performance issue?
Thanks,
Mahe
Best Answer
-
With the latest improvement in PS3, this should not be a problem as it is supposed to be able to handle this. You should read the following article http://www.ateam-oracle.com/oud-11gr2ps3-very-large-static-groups/ about large static groups. However, you might want to enable group caching in the provider if it fits your use case.
Answers
-
The question is, what is the filter you have specified in the weblogic authenticator to search for the groups? How are your groups defined? Are they really static groups or actually dynamic groups? What is the objectclass you are using for your groups? Have you considered caching the group results in weblogic or in OUD?
-
Hi @handat,
Please refer below for the answers to your questions:
- what is the filter you have specified in the weblogic authenticator to search for the groups?
- Group from Name filter: (|(&(cn=%g)(objectclass=groupOfUniqueNames))(&(cn=%g)(objectclass=groupOfURLs))
- How are your groups defined? Are they really static groups or actually dynamic groups?
- Static groups. The user-group membership is programmatically added/removed from Java application
- What is the objectclass you are using for your groups?
- groupOfUniqueNames
- Have you considered caching the group results in weblogic or in OUD?
- No
Thanks,
Mahe
- what is the filter you have specified in the weblogic authenticator to search for the groups?
-
-
With the latest improvement in PS3, this should not be a problem as it is supposed to be able to handle this. You should read the following article http://www.ateam-oracle.com/oud-11gr2ps3-very-large-static-groups/ about large static groups. However, you might want to enable group caching in the provider if it fits your use case.