In our ldap we do not delete users, we deactivate them with nsaccountlock. All user entries are in the same branch of the tree. In this data structure, all uid's are unique and are not used again.
Ok well now our ldap is getting large and I would like active users separate from inactive users to provide better search performance. AFAIK lot of services keep uid's so they cannot be used again. What's a good design approach? Do inactive users move to another tree? Maybe move to another server and use a referral somehow. What do ldap admins do with all this dead weight? :)
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Did you have a chance to see these docs? "Preventing Authentication by Account Inactivation" in Directory Server Deployment Guide: http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/aci.html#17614
And the command line scripts ns-activate.pl, ns-inactivate.pl, ns-accountstatus.pl. Configuration, Command, and File Reference PDF http://www.redhat.com/docs/manuals/dir-server/pdf/ds71cli.pdf (2608 KB) Page 277-279
--noriko
Scott wrote:
In our ldap we do not delete users, we deactivate them with nsaccountlock. All user entries are in the same branch of the tree. In this data structure, all uid's are unique and are not used again.
Ok well now our ldap is getting large and I would like active users separate from inactive users to provide better search performance. AFAIK lot of services keep uid's so they cannot be used again. What's a good design approach? Do inactive users move to another tree? Maybe move to another server and use a referral somehow. What do ldap admins do with all this dead weight? :)
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Scott wrote:
In our ldap we do not delete users, we deactivate them with nsaccountlock. All user entries are in the same branch of the tree. In this data structure, all uid's are unique and are not used again.
Ok well now our ldap is getting large and I would like active users separate from inactive users to provide better search performance. AFAIK lot of services keep uid's so they cannot be used again. What's a good design approach? Do inactive users move to another tree? Maybe move to another server and use a referral somehow. What do ldap admins do with all this dead weight? :)
I'm curious why you think search performance will suffer. Are you worried about totally unindexed searches ?
Some supporting data would be useful : number of users, inactive users, some example searches that you see slow down, and so on.
Per se, searches should not be slower when you take the approach you have.
Thanks for the replies, sorry to be vague. Maybe I dont have anything to worry about. I have 30k current users, and 70k inactive users (approx). My current user base will remain the same, but obviously my inactive users continue to grow.
Yes directories can scale well beyond those numbers. Except for provisioning applications, I assume you would want authn apps etc. pointing to a base of current users. Why point at 100k when you are using just 30k?
Another assumption :) big companies with huge ldap's where uid's dont expire... Do they just keep all the entries together? I thought maybe there was some normal practice in this situation.
--- David Boreham david_list@boreham.org wrote:
Scott wrote:
In our ldap we do not delete users, we deactivate
them
with nsaccountlock. All user entries are in the
same
branch of the tree. In this data structure, all
uid's
are unique and are not used again.
Ok well now our ldap is getting large and I would
like
active users separate from inactive users to
provide
better search performance. AFAIK lot of services
keep
uid's so they cannot be used again. What's a good design approach? Do inactive users move to another tree? Maybe move to another server and use a
referral
somehow. What do ldap admins do with all this dead weight? :)
I'm curious why you think search performance will suffer. Are you worried about totally unindexed searches ?
Some supporting data would be useful : number of users, inactive users, some example searches that you see slow down, and so on.
Per se, searches should not be slower when you take the approach you have.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On 6/13/06, Scott rinconsystems@yahoo.com wrote:
Ok well now our ldap is getting large and I would like active users separate from inactive users to provide better search performance.
Kind of puzzled by the above statement - do you have performance data that establishes this fact ?
:Sankarshan
389-users@lists.fedoraproject.org
-
David Boreham -
Noriko Hosoi -
Sankarshan Mukhopadhyay -
Scott Roberts