Best Practice

Best practice for managing groups in DS/OpenDJ (All versions)

Last updated Dec 5, 2018

The purpose of this article is to provide best practice advice on managing groups in DS/OpenDJ.

Overview

DS/OpenDJ utilizes three different types of groups to help manage data:

  • Static Groups: these groups have a list of members.
  • Dynamic Groups: these groups look up membership based on an LDAP filter.
  • Virtual Static Groups: these groups use dynamic group style definition but allow applications to list group members as if they were static.

See Developer's Guide › Working With Groups of Entries for more detail on how to create/manage each type of group.

Managing groups

When deciding how to architect groups for your organization, it is important to note there are some performance implications with:

  • Large numbers of groups.
  • Large numbers of entries in a static group.

Large numbers of groups

When you do a search that returns the isMemberOf attribute, it has to scan every group. If you have 10,000+ groups, this can be quite an expensive operation. 

Note

Using isMemberOf as a search filter will not have this performance impact as it is searching the group you specify for members.

Large numbers of entries in a static group

When you do a replace modification on a static group, it has to read/edit all members. if you have 30,000 + members in a static group, this can be quite an expensive operation.

Mitigation

You can use the following methods to mitigate these performance impacts: 

  • Use indexed searches for (member=...). Indexes are very efficient, although this will not find members of nested groups. 
  • Implement entry caches for large static groups; this will put the entries into memory so read operations will be much quicker. See Administration Guide › Caching Large, Frequently Used Entries for further information. Caching small groups is a waste of memory as the memory devoted to the entry cache is not available for other purposes.
  • Consider using modify-add operations instead of modify-replace operations. See Developer's Guide › Modify: Adding Attributes for further information.

You should ensure you fully test performance using the addrate, authrate, modrate, searchrate tools described in the Administration Guide › Testing Performance.

See Also

FAQ: General DS/OpenDJ

How do I know what index types are needed for search filters in DS/OpenDJ (All versions)?

How do I troubleshoot issues with my indexes in DS/OpenDJ (All versions)?

How do I use the Support Extract tool in DS/OpenDJ (All versions) to capture troubleshooting data?

How do I tune DS/OpenDJ (All versions) process sizes: JVM heap and database cache?

Performance tuning and monitoring ForgeRock products

Installing and Administering DS/OpenDJ

Administration Guide › Indexing Attribute Values

Configuration Reference › Entry Cache

Related Training

N/A

Related Issue Tracker IDs

N/A

Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...