Forum Stats

  • 3,874,876 Users
  • 2,266,782 Discussions
  • 7,911,991 Comments

Discussions

OUD - User and Group Mapping - Performance Impact

Hi,

In Oracle Unified Directory (ver 11.1.2.3), the user - group structure will look like as shown below:

<base-DN>|__ou=people (1 million users grouped under departments)     |__cn=testuser1     |__cn=testuser2........|__ou=groups (200 groups)     |__cn=group-1     |__cn=group-2........

All the groups are considered as "Static Groups". The group membership is managed by Java application.

Some groups may have 1 million user membership.

The Java applications deployed in WebLogic (ver 12.1.3) are configured with "Declarative Security".

From WebLogic admin console, OUD instance will be connected for "Authentication Provider" and is used for user authentication and authorization.

After successful user authentication, WebLogic has to build the logged-in user's subject and the list of principals (group CNs in which the current user is a member of).

Question:

  1. Whether the authorization process has to traverse all the available groups (some may have 1 million membership) to identify the list of groups in which the user is a member of?
  2. Whether the group membership of the current user will be retrieved based on the attribute "isMemberOf" in user entry? In such case, whether traversing through all the groups (with 1 million user membership) to identify the current user's membership?
  3. Will there be any performance impact, if we have 1 million user membership in a single static group in OUD, during WebLogic user authentication and authorization process?
  4. Is there any solution (other than adding sufficient indexes) to resolve such performance issue?

Thanks,

Mahe

Tagged:

Best Answer

Answers

  • handat
    handat Member Posts: 4,688 Gold Crown
    edited Oct 12, 2017 7:59AM

    The question is, what is the filter you have specified in the weblogic authenticator to search for the groups? How are your groups defined? Are they really static groups or actually dynamic groups? What is the objectclass you are using for your groups? Have you considered caching the group results in weblogic or in OUD?

  • MaheOra
    MaheOra Member Posts: 34
    edited Oct 27, 2017 2:34AM

    Hi @handat,

    Please refer below for the answers to your questions:

    • what is the filter you have specified in the weblogic authenticator to search for the groups?
      • Group from Name filter: (|(&(cn=%g)(objectclass=groupOfUniqueNames))(&(cn=%g)(objectclass=groupOfURLs))
    • How are your groups defined? Are they really static groups or actually dynamic groups?
      • Static groups. The user-group membership is programmatically added/removed from Java application
    • What is the objectclass you are using for your groups?
      • groupOfUniqueNames
    • Have you considered caching the group results in weblogic or in OUD?
      • No

    Thanks,

    Mahe

  • MaheOra
    MaheOra Member Posts: 34
    edited Oct 27, 2017 2:35AM

    Hi @handat,

    Can you please provide your thoughts on this discussion?

    Thanks,

    Mahe

  • handat
    handat Member Posts: 4,688 Gold Crown
    edited Oct 29, 2017 7:19PM Answer ✓

    With the latest improvement in PS3, this should not be a problem as it is supposed to be able to handle this. You should read the following article http://www.ateam-oracle.com/oud-11gr2ps3-very-large-static-groups/  about large static groups. However, you might want to enable group caching in the provider if it fits your use case.

This discussion has been closed.