Best practice for managing groups in DS/OpenDJ (All versions)
The purpose of this article is to provide best practice advice on managing groups in DS/OpenDJ.
Overview
DS/OpenDJ utilizes three different types of groups to help manage data:
- Static Groups: these groups have a list of members.
- Dynamic Groups: these groups look up membership based on an LDAP filter.
- Virtual Static Groups: these groups use dynamic group style definition but allow applications to list group members as if they were static.
See Developer's Guide › Working With Groups of Entries for more detail on how to create/manage each type of group.
Managing groups
When deciding how to architect groups for your organization, it is important to note there are some performance implications with:
- Large numbers of groups.
- Large numbers of entries in a static group.
Large numbers of groups
When you do a search that returns the isMemberOf attribute, it has to scan every group. If you have 10,000+ groups, this can be quite an expensive operation.
Note
Using isMemberOf as a search filter will not have this performance impact as it is searching the group you specify for members.
Large numbers of entries in a static group
When you do a replace modification on a static group, it has to read/edit all members. if you have 30,000 + members in a static group, this can be quite an expensive operation.
Mitigation
You can use the following methods to mitigate these performance impacts:
- Use indexed searches for (member=...). Indexes are very efficient, although this will not find members of nested groups.
- Implement entry caches for large static groups; this will put the entries into memory so read operations will be much quicker. See Administration Guide › Caching Large, Frequently Used Entries for further information. Caching small groups is a waste of memory as the memory devoted to the entry cache is not available for other purposes.
- Consider using modify-add operations instead of modify-replace operations. See Developer's Guide › Modify: Adding Attributes for further information.
You should ensure you fully test performance using the addrate, authrate, modrate, searchrate tools described in the Administration Guide › Testing Performance.
See Also
How do I know what index types are needed for search filters in DS/OpenDJ (All versions)?
How do I troubleshoot issues with my indexes in DS/OpenDJ (All versions)?
How do I use the Support Extract tool in DS 5.x, 6 and OpenDJ 3.x to capture troubleshooting data?
How do I tune DS/OpenDJ (All versions) process sizes: JVM heap and database cache?
Performance tuning and monitoring ForgeRock products
Installing and Administering DS/OpenDJ
Related Training
N/A
Related Issue Tracker IDs
N/A