Skip to Main Content

Security Software

OUD - User and Group Mapping - Performance Impact

MaheOraOct 10 2017 — edited Oct 30 2017

Hi,

In Oracle Unified Directory (ver 11.1.2.3), the user - group structure will look like as shown below:

<base-DN>

|__ou=people (1 million users grouped under departments)

     |__cn=testuser1

     |__cn=testuser2

....

....

|__ou=groups (200 groups)

     |__cn=group-1

     |__cn=group-2

....

....

All the groups are considered as "Static Groups". The group membership is managed by Java application.

Some groups may have 1 million user membership.

The Java applications deployed in WebLogic (ver 12.1.3) are configured with "Declarative Security".

From WebLogic admin console, OUD instance will be connected for "Authentication Provider" and is used for user authentication and authorization.

After successful user authentication, WebLogic has to build the logged-in user's subject and the list of principals (group CNs in which the current user is a member of).

Question:

  1. Whether the authorization process has to traverse all the available groups (some may have 1 million membership) to identify the list of groups in which the user is a member of?
  2. Whether the group membership of the current user will be retrieved based on the attribute "isMemberOf" in user entry? In such case, whether traversing through all the groups (with 1 million user membership) to identify the current user's membership?
  3. Will there be any performance impact, if we have 1 million user membership in a single static group in OUD, during WebLogic user authentication and authorization process?
  4. Is there any solution (other than adding sufficient indexes) to resolve such performance issue?

Thanks,

Mahe

This post has been answered by handat on Oct 29 2017
Jump to Answer
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details