DS utilizes three different types of groups to help manage data:
- Static Groups: these groups have a list of members.
- Dynamic Groups: these groups look up membership based on an LDAP filter.
- Virtual Static Groups: these groups use dynamic group style definition but allow applications to list group members as if they were static.
See Configuration Guide › Groups for more detail on how to create/manage each type of group.
When deciding how to architect groups for your organization, it is important to note there are some performance implications with:
- Large numbers of groups.
- Large numbers of entries in a static group.
Large numbers of groups
When you do a search that returns the isMemberOf attribute, it has to scan every group. If you have 10,000+ groups, this can be quite an expensive operation.
Using isMemberOf as a search filter will not have this performance impact as it is searching the group you specify for members.
Large numbers of entries in a static group
When you do a replace modification on a static group, it has to read/edit all members. if you have 30,000 + members in a static group, this can be quite an expensive operation.
You can use the following methods to mitigate these performance impacts:
- Use indexed searches for (member=...). Indexes are very efficient, although this will not find members of nested groups.
- Implement entry caches for large static groups; this will put the entries into memory so read operations will be much quicker. See Maintenance Guide › Cache for Large Groups for further information. Caching small groups is a waste of memory as the memory devoted to the entry cache is not available for other purposes.
- Consider using modify-add operations instead of modify-replace operations. See LDAP User Guide › Add Attributes for further information.
You should ensure you fully test performance using the addrate, authrate, modrate, searchrate tools described in the Maintenance Guide › Performance Tuning.
Related Issue Tracker IDs