DS utilizes three different types of groups to help manage data:
- Static Groups: these groups have a list of members.
- Dynamic Groups: these groups look up membership based on an LDAP filter.
- Virtual Static Groups: these groups use dynamic group style definition but allow applications to list group members as if they were static.
See Groups for more detail on how to create/manage each type of group.
When deciding how to architect groups for your organization, it is important to note there are some performance implications with:
- Large numbers of groups.
- Large numbers of entries in a static group.
Large numbers of groups
When you do a search that returns the isMemberOf attribute, it has to scan every group. If you have 10,000+ groups, this can be quite an expensive operation.
Using isMemberOf as a search filter will not have this performance impact as it is searching the group you specify for members.
Large numbers of entries in a static group
When you do a replace modification on a static group, it has to read/edit all members. if you have 30,000 + members in a static group, this can be quite an expensive operation.
You can use the following methods to mitigate these performance impacts:
- Use indexed searches for (member=...). Indexes are very efficient, although this will not find members of nested groups.
- Implement entry caches for large static groups; this will put the entries into memory so read operations will be much quicker. See Cache for Large Groups for further information. Caching small groups is a waste of memory as the memory devoted to the entry cache is not available for other purposes.
- Consider using modify-add operations instead of modify-replace operations. See Add Attributes for further information.
You should ensure you fully test performance using the addrate, authrate, modrate, searchrate tools described in the Performance Tuning.
Related Issue Tracker IDs