Re: Scalability - large numbers of users/groups in LDAP

[Nigel Jones <jo...@uk.ibm.com>]

On 22/02/2017 19:28, Sailaja Polavarapu wrote:
 > Hi Nigel Jones,
 >  As part of incremental sync support for ranger, I was reading 
through MS AD documentation for memberof attribute. According to the 
documentation, it looks like memberof attribute value is not stored and 
is always computed on-fly from the member attribute of the group.
 > In OpenLdap case, the memberof attribute is not enabled by default as 
part of the schema. It has to be enabled manually. As far as I know, 
openLdap doesn\u2019t maintain the back-link between the memberof attribute 
of user and member/memberUid attribute of the group. It is up to the 
admin to create these values while adding/updating the users and groups. 
And the memberof attribute is stored in the schema and the value is 
retrieved as is without any computation from group member attribute.

Thanks, it does look like I have a workable solution to go with (to be 
verified of course)

* Get a list of roles that will participate in this environment (in fact 
these will source from Apache Atlas as that stores some entity:role 
associations in our case)
* Query ldap for the users in those role (ldap groups)
* Push as user/groups into ranger with a new "usersync" process

This preserves the current approach ranger takes with just a tweak to 
the source of the user & role information ;-)