Embedded LDAP Scalability - Weblogic

This is a discussion on Embedded LDAP Scalability - Weblogic ; I posted this w.d.i.portal but was advised to post here. We are planning to use Embedded LDAP for Portal Users & Groups. Is there a documentation available on dev2dev or somewhere else which can tell us the scalability of the ...

+ Reply to Thread
Results 1 to 15 of 15

Thread: Embedded LDAP Scalability

  1. Embedded LDAP Scalability

    I posted this w.d.i.portal but was advised to post here.

    We are planning to use Embedded LDAP for Portal Users & Groups. Is there
    a documentation available on dev2dev or somewhere else which can tell
    us the scalability of the embdded LDAP. We are looking at 2 MM+ users!!

    Thanks in advance

    Frido

  2. Re: Embedded LDAP Scalability

    Ladies & Gents,
    Any answere here will be appreciated. We are in critical design
    phase and would really like an answer to this question. Please help. If
    there is no scalability document...than it's okay. No answer is not a
    good answer.

    Rgds,
    Frido
    BTW - We sweeped the oscars last night - howaboutthat

    Frido Baggins wrote:
    > I posted this w.d.i.portal but was advised to post here.
    >
    > We are planning to use Embedded LDAP for Portal Users & Groups. Is there
    > a documentation available on dev2dev or somewhere else which can tell
    > us the scalability of the embdded LDAP. We are looking at 2 MM+ users!!
    >
    > Thanks in advance
    >
    > Frido


  3. Re: Embedded LDAP Scalability

    Frido Baggins wrote:

    > Any answere here will be appreciated. We are in critical design phase
    > and would really like an answer to this question. Please help. If there
    > is no scalability document...than it's okay. No answer is not a good
    > answer.


    Just checking - you mean you want to have more than 2 million users?

    I have no idea if the embedded LDAP would support that but surely you
    can write a very quick test (write a program to add 2 million users then
    try to login).

    My guess is that it will crash and burn.

    Robert

  4. Re: Embedded LDAP Scalability

    Allright - than we have a problem. Why would BEA not support swapping
    out the embedded LDAP (which stores everything from role mappings,
    portal authzs etc.) to a better (read more scalable) LDAPs

    I appreciate your comment, we can do the test but I would like BEA to
    provide some benchmark or performance material for their product which
    is so 'embedded' (no pun intended) into the Portal system

    Robert Greig wrote:

    > Frido Baggins wrote:
    >
    >> Any answere here will be appreciated. We are in critical design
    >> phase and would really like an answer to this question. Please help.
    >> If there is no scalability document...than it's okay. No answer is not
    >> a good answer.

    >
    >
    > Just checking - you mean you want to have more than 2 million users?
    >
    > I have no idea if the embedded LDAP would support that but surely you
    > can write a very quick test (write a program to add 2 million users then
    > try to login).
    >
    > My guess is that it will crash and burn.
    >
    > Robert


  5. Re: Embedded LDAP Scalability

    For 2 million users, I believe that you need to configure and use an
    external LDAP. The embedded ldap does not support this many users.


    "Frido Baggins" wrote in message
    news:403f7be8@newsgroups.bea.com...
    > I posted this w.d.i.portal but was advised to post here.
    >
    > We are planning to use Embedded LDAP for Portal Users & Groups. Is there
    > a documentation available on dev2dev or somewhere else which can tell
    > us the scalability of the embdded LDAP. We are looking at 2 MM+ users!!
    >
    > Thanks in advance
    >
    > Frido




  6. Re: Embedded LDAP Scalability

    Thanks Jennifer. However, for 2 MM users the data for Authorization
    Provider and Role Mapper provider will still be embedded LDAP - Right?
    You can't swap those out with any external LDAP. Will embedded LDAP hold
    up to that kind of data???? If not, what are our options - split it/
    wait for BEA to provide pluggable provider support for Role mapper and
    Authz. / something else. Please recommend.


    Thanks in advance for your help.

    Rgds,

    Frido
    Jennifer Parent wrote:

    > For 2 million users, I believe that you need to configure and use an
    > external LDAP. The embedded ldap does not support this many users.
    >
    >
    > "Frido Baggins" wrote in message
    > news:403f7be8@newsgroups.bea.com...
    >
    >>I posted this w.d.i.portal but was advised to post here.
    >>
    >>We are planning to use Embedded LDAP for Portal Users & Groups. Is there
    >>a documentation available on dev2dev or somewhere else which can tell
    >>us the scalability of the embdded LDAP. We are looking at 2 MM+ users!!
    >>
    >>Thanks in advance
    >>
    >>Frido

    >
    >
    >


  7. Re: Embedded LDAP Scalability

    Frido Baggins wrote:
    > Thanks Jennifer. However, for 2 MM users the data for Authorization
    > Provider and Role Mapper provider will still be embedded LDAP - Right?
    > You can't swap those out with any external LDAP. Will embedded LDAP hold
    > up to that kind of data???? If not, what are our options - split it/
    > wait for BEA to provide pluggable provider support for Role mapper and
    > Authz. / something else. Please recommend.


    Hi - I do not understand what you mean. You can write your own
    authorization provider or role mapper and neither of these things is
    dependent on the internal LDAP provider.

    2 million users is an awful lot of users - what kind of application are
    you building?

    Robert

  8. Re: Embedded LDAP Scalability

    Our Extranet Portals will be available to lot of our clients and their
    employees who use us for their outsourced admin services.

    I am not kidding - we may even have to scale to 3MM users.

    Given that, our concurrency might not be more than 1% at any given time.
    People don't login that much except for certain instances in their lives.

    As for building custom providers - why? Why not BEA provide pluggable
    LDAP and why take on extra maintenance of code (custom) when it can be
    done using scalable softwares available.

    Rgds,

    Ravi


    Robert Greig wrote:

    > Frido Baggins wrote:
    >
    >> Thanks Jennifer. However, for 2 MM users the data for Authorization
    >> Provider and Role Mapper provider will still be embedded LDAP - Right?
    >> You can't swap those out with any external LDAP. Will embedded LDAP
    >> hold up to that kind of data???? If not, what are our options - split
    >> it/ wait for BEA to provide pluggable provider support for Role mapper
    >> and Authz. / something else. Please recommend.

    >
    >
    > Hi - I do not understand what you mean. You can write your own
    > authorization provider or role mapper and neither of these things is
    > dependent on the internal LDAP provider.
    >
    > 2 million users is an awful lot of users - what kind of application are
    > you building?
    >
    > Robert


  9. Re: Embedded LDAP Scalability

    Frido Baggins wrote:

    > Our Extranet Portals will be available to lot of our clients and their
    > employees who use us for their outsourced admin services.
    >
    > I am not kidding - we may even have to scale to 3MM users.
    >
    > Given that, our concurrency might not be more than 1% at any given time.
    > People don't login that much except for certain instances in their lives.


    Do you really want to use LDAP for these users? Is using a relational
    database not easier (I have no idea how many LDAP servers scale to 3
    million users - I work for a company with a mere 100,000 employees...)

    > As for building custom providers - why? Why not BEA provide pluggable
    > LDAP and why take on extra maintenance of code (custom) when it can be
    > done using scalable softwares available.


    BEA does provide a range of security providers (for a number of LDAP
    providers for example) but it can't hope to meet every need. I'd rather
    they provided an open API (which they have done) that means I can write
    a few lines of code to integrate with whatever I want. For example, I
    had to write a custom provider to integrate with Lotus Domino.

    For role mapping it is harder to provide a solution "out of the box".
    There are many different ways you could decide you want to map roles.
    What would a generic solution look like? For example, I integrate with
    user roles that are stored on a Sybase database and retrieved using some
    stored procedures.

    Robert

  10. Re: Embedded LDAP Scalability

    Robert Greig wrote:
    > Frido Baggins wrote:
    >
    >> Our Extranet Portals will be available to lot of our clients and their
    >> employees who use us for their outsourced admin services.
    >>
    >> I am not kidding - we may even have to scale to 3MM users.
    >>
    >> Given that, our concurrency might not be more than 1% at any given
    >> time. People don't login that much except for certain instances in
    >> their lives.

    >
    >
    > Do you really want to use LDAP for these users? Is using a relational
    > database not easier (I have no idea how many LDAP servers scale to 3
    > million users - I work for a company with a mere 100,000 employees...)


    Lot of LDAPs (Sun ONE, Novell, etc.) will scale to that. Moreover, LDAPs
    are read-optimized so they tend to beat RDBMS performance for lookups.
    You can chain LDAPs, cluster 'em and lots. Comparing RDBMS to LDAPs is
    apples to oranges. Each has its own use.
    >
    >> As for building custom providers - why? Why not BEA provide pluggable
    >> LDAP and why take on extra maintenance of code (custom) when it can be
    >> done using scalable softwares available.

    >
    >
    > BEA does provide a range of security providers (for a number of LDAP
    > providers for example) but it can't hope to meet every need. I'd rather
    > they provided an open API (which they have done) that means I can write
    > a few lines of code to integrate with whatever I want. For example, I
    > had to write a custom provider to integrate with Lotus Domino.
    >

    Accepted. I am looking for something everyone else does out of the box.
    BTW, On other group BEA person promised to make a case

    ::QUOTE:: I will make your case to the security team about a pluggable
    store allowing the default LDAP to be swapped out. I think it is a valid
    concern. ::QUOTE::

    > For role mapping it is harder to provide a solution "out of the box".
    > There are many different ways you could decide you want to map roles.
    > What would a generic solution look like? For example, I integrate with
    > user roles that are stored on a Sybase database and retrieved using some
    > stored procedures.

    LDAPs provide ways to create multiple groups and using the same you can
    create roles. A uid (user id ) can be member of multiple groups through
    static membership, or attributes.
    >
    > Robert


    Frido

  11. Re: Embedded LDAP Scalability


    Frido Baggins wrote:

    >Lot of LDAPs (Sun ONE, Novell, etc.) will scale to that. Moreover, LDAPs
    >
    >are read-optimized so they tend to beat RDBMS performance for lookups.
    >
    >You can chain LDAPs, cluster 'em and lots. Comparing RDBMS to LDAPs is
    >
    >apples to oranges. Each has its own use.


    Do you have any links to reports comparing LDAP query performance with RDBMS query
    performance?

    Obviously LDAP is used for good reasons but I would be highly skeptical (to say
    the least) that lookup performance is why you would choose LDAP. I cannot imagine
    a standard lookup situation where you could not get Oracle or Sybase to outperform
    an LDAP provider.

    >Accepted. I am looking for something everyone else does out of the box.


    Who else?

    >BTW, On other group BEA person promised to make a case
    >
    >::QUOTE:: I will make your case to the security team about a pluggable
    >
    >store allowing the default LDAP to be swapped out. I think it is a valid
    >concern. ::QUOTE::


    I think I have clearly missed the point. As far as I was aware you can plug in
    whatever LDAP provider you want.

    From the documentation:

    "WebLogic Server does not support or certify any particular LDAP servers. Any
    LDAP v2 or v3 compliant LDAP server should work with WebLogic Server. The following
    LDAP directory servers have been tested:

    Netscape iPlanet version 4.1.3
    Active Directory shipped as part of Windows 2000
    Open LDAP version 2.0.7
    Novell NDS version 8.5.1 "

    Robert

  12. Re: Embedded LDAP Scalability

    Please refer to thread
    news://newsgroups.bea.com:119/403951ea$1@newsgroups.bea.com

    You cannot use an external LDAP for Role Provider and AuthZ Provider.
    You can only use it as AuthN provider...and we are talking mostly about
    WL 8.1 Portal.

    As for performance...I will find some links, however thats not the only
    reason for choosing LDAP. It provides hierarchical structure unlike
    Relation database system. There are reasons why people and portal
    vendors choose LDAP over DBMS for identity management.

    Robert Greig wrote:

    > Frido Baggins wrote:
    >
    >
    >>Lot of LDAPs (Sun ONE, Novell, etc.) will scale to that. Moreover, LDAPs
    >>
    >>are read-optimized so they tend to beat RDBMS performance for lookups.
    >>
    >>You can chain LDAPs, cluster 'em and lots. Comparing RDBMS to LDAPs is
    >>
    >>apples to oranges. Each has its own use.

    >
    >
    > Do you have any links to reports comparing LDAP query performance with RDBMS query
    > performance?
    >
    > Obviously LDAP is used for good reasons but I would be highly skeptical (to say
    > the least) that lookup performance is why you would choose LDAP. I cannot imagine
    > a standard lookup situation where you could not get Oracle or Sybase to outperform
    > an LDAP provider.
    >
    >
    >>Accepted. I am looking for something everyone else does out of the box.

    >
    >
    > Who else?
    >
    >
    >>BTW, On other group BEA person promised to make a case
    >>
    >>::QUOTE:: I will make your case to the security team about a pluggable
    >>
    >>store allowing the default LDAP to be swapped out. I think it is a valid
    >>concern. ::QUOTE::

    >
    >
    > I think I have clearly missed the point. As far as I was aware you can plug in
    > whatever LDAP provider you want.
    >
    > From the documentation:
    >
    > "WebLogic Server does not support or certify any particular LDAP servers. Any
    > LDAP v2 or v3 compliant LDAP server should work with WebLogic Server. The following
    > LDAP directory servers have been tested:
    >
    > Netscape iPlanet version 4.1.3
    > Active Directory shipped as part of Windows 2000
    > Open LDAP version 2.0.7
    > Novell NDS version 8.5.1 "
    >
    > Robert


  13. Re: Embedded LDAP Scalability

    Frido Baggins wrote:

    > Please refer to thread
    > news://newsgroups.bea.com:119/403951ea$1@newsgroups.bea.com
    >
    > You cannot use an external LDAP for Role Provider and AuthZ Provider.
    > You can only use it as AuthN provider...and we are talking mostly about
    > WL 8.1 Portal.


    Ah. Sorry, I did not appreciate that those providers had that
    limitation. It does seem an odd limitation given that it would have been
    so easy to make it generic.

    > As for performance...I will find some links, however thats not the only
    > reason for choosing LDAP. It provides hierarchical structure unlike
    > Relation database system. There are reasons why people and portal
    > vendors choose LDAP over DBMS for identity management.


    I suppose I have always thought of the key point in LDAP being the L -
    lightweight, i.e. it is easy for a wide range of clients to get data but
    it isn't necessarily going to be incredibly fast. If you have very
    specific requirements (i.e. you aren't providing a generic service for a
    whole enterprise) I should have thought that you could provide an
    optimal schema that is tuned for your purpose exactly.

    In my organisation we use Domino LDAP currently (100k users) and it runs
    like a three-legged giraffe. Whether that is a failing in Domino (quite
    likely admittedly) or a failing in the admins (equally likely) I do not
    know.

    Robert

  14. Re: Embedded LDAP Scalability

    Robert Greig wrote:
    > Frido Baggins wrote:
    >
    >> Please refer to thread
    >> news://newsgroups.bea.com:119/403951ea$1@newsgroups.bea.com
    >>
    >> You cannot use an external LDAP for Role Provider and AuthZ Provider.
    >> You can only use it as AuthN provider...and we are talking mostly
    >> about WL 8.1 Portal.

    >
    >
    > Ah. Sorry, I did not appreciate that those providers had that
    > limitation. It does seem an odd limitation given that it would have been
    > so easy to make it generic.
    >
    >> As for performance...I will find some links, however thats not the
    >> only reason for choosing LDAP. It provides hierarchical structure
    >> unlike Relation database system. There are reasons why people and
    >> portal vendors choose LDAP over DBMS for identity management.

    >
    >
    > I suppose I have always thought of the key point in LDAP being the L -
    > lightweight, i.e. it is easy for a wide range of clients to get data but
    > it isn't necessarily going to be incredibly fast. If you have very
    > specific requirements (i.e. you aren't providing a generic service for a
    > whole enterprise) I should have thought that you could provide an
    > optimal schema that is tuned for your purpose exactly.
    >

    We want to make LDAP as Directory service for all our apps - portal or
    not portal. As a consultant I have implemented couple to really
    appreciate the flexibility, manageability and scalability of LDAPs.
    > In my organisation we use Domino LDAP currently (100k users) and it runs
    > like a three-legged giraffe. Whether that is a failing in Domino (quite
    > likely admittedly) or a failing in the admins (equally likely) I do not
    > know.

    Domino is not the best LDAP there is. So it is a failing in Domino. Try
    switching to openldap (http://www.openldap.org/), Sun ONE, or the big blue.
    >
    > Robert


    Frido

  15. Re: Embedded LDAP Scalability

    Frido Baggins wrote:

    > Domino is not the best LDAP there is. So it is a failing in Domino. Try
    > switching to openldap (http://www.openldap.org/), Sun ONE, or the big blue.


    We are actually moving to an Active Directory infrastructure. I like
    this from the point of view of getting a good Kerberos implementation.
    Is the LDAP implementation any good?

    Robert

+ Reply to Thread