directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <>
Subject Re: Fortress performance tests
Date Mon, 26 Jun 2017 01:05:22 GMT

> On Jun 25, 2017, at 10:34 AM, Yudhi Karunia Surtan <> wrote:
> did someone ever tried to use fortress and having ldap entries for around >
> 10 million entries?
> i'm curious if fortress able to handle so many entries below ou=people.
> honestly, i'm newbie in ldap and did some experiment that AccessMgr will
> get timeout when ou=people filled so many entries.
> i don't think increasing the timeout is the solution, more entries mean
> will also increase the timeout setting later.


I just loaded up 1M users and there are no performance degradations.  It took about 20 minutes
to create the users, longer to assign each user 10 roles.

No surprise there, LDAP is made for this.  Of course the indexes need to be in place, which
if you follow the default setup for OpenLDAP they will be.

There is a caveat, fortress supports two way user-role assignments.  That is the role attribute
is stored on user object, and the user membership is on the Role object.  The latter is to
be compatible with non-rbac implementations that use traditional group membership lookups
for access control.  

The problem is when group have large numbers of users, i.e. 10’s of thousands, performance
degrades on the edits of those objects.

Strictly speaking fortress doesn’t need to associate user membership with roles, for its
RBAC controls, so I am going to add a option to disable, with config switch.  Something along
the lines of:
role.occupants = false <— disable role-to-user mapping
role.occupants = true <— enable role-to-user mapping

To load the 1M users:

This class is still a little rough around the edges, and needs some work, but if you want
to try it let me know and we’ll get it cleaned up.  


View raw message