Thank you Howard (and openldap core team) for this synthesis of the current and future state of dynamic membership devs.
Indeed, some of my customers were suffering from dynlist performances, and the decision was taken to go back to more static features (like memberOf).
For now I did not test nestgroup overlay, but I'll give a look for next installations. Do you have any idea in which version of OpenLDAP nestgroup will be officially released?
Regards, Le 26/02/2024 à 16:54, Howard Chu a écrit :
The recent work on expanding dynamic group functionality in the dynlist overlay seems to have been a bad idea. It makes an already fairly complex overlay even more complicated, and it puts a lot more work into the read side of operations, which adds up to quite noticeable slowdowns in search performance on deployments that make heavy use of dynamic groups with large memberships. It appears that in these situations, the approach used in the autogroup overlay (which has been in contrib since 2007) is better. It moves all of the membership management into the write side of operations, updating memberships whenever dynamic group definitions are modified, or when member entries are written/updated/etc. As such, it allows dynamically defined group memberships to be read/searched at full speed, as if they were static groups. The search performance difference between autogroup and the dynlist approach is pretty drastic when large groups and large numbers of groups are in use. As such I believe autogroup should be recommended, going forward, and we should move it from contrib into the core code. For similar reasons, dynamically managing memberOf attributes in dynlist also has a major impact on search performance. And as alluded to before, adding that functionality to dynlist has made the code quite a bit more complex. Again for performance reasons, it's better to manage this attribute on the write side, updating a real attribute in the DB when groups and memberships are modified, instead of doing the lookup work on the read/search side. As such, we should reverse the decision to deprecate the memberof overlay. There were a couple problems that the overlay presented in replication environments before, that prompted us to deprecate it, but I believe those problems have now been resolved. The first one, referenced in ITS#7400, had to do with the actual memberof attributes getting replicated even though they weren't meant to be. The solution for that should have been to specify that memberof should be excluded from replication using "exattr" in a syncrepl consumer config. The exattr option wasn't behaving as intended in the past, and using it would cause data desyncs, but that problem was fixed long ago. The other problem was simply due to the lack of ordering guarantees in syncrepl refreshes, which prevented the memberof overlay from updating an member's memberof attribute if the group entry got replicated before the member entry. That problem has been solved in ITS#10167, simply adding a check whenever new entries are added, to see if they're already members of any existing groups. As such, the memberof overlay should be perfectly fine for use in replication scenarios now. More testing of those scenarios is welcome. With statically managed member and memberof attributes, the major hits to search performance have been removed. We're still trying dynamically managed nesting of groups though, which is what the new nestgroup overlay (ITS#10161) is for. Again, we need testing to see how much performance impact there is from this much-reduced overhead in the read/search side of things. The config is also a lot easier to understand in its own overlay, instead of shoe-horned into the dynlist config. Testing and feedback appreciated.
-- David Coutadeur | IAM integrator david.coutad...@worteks.com +33 7 88 46 85 34 16 avenue Hoche, Paris 75008 Worteks | https://www.worteks.com
