Dealing with Entity Associations in OpenDJ

This topic has 1 reply, 2 voices, and was last updated 6 years, 7 months ago by Ludo.

  • Author
  • #8002

    Hopefully I am posting this in the right category. If not, apologies in advance, please point me in the right direction.

    Problem Statement: Our Application stores two kinds of entities in OpenDJ, Devices(objectclass=device) and Users(objectclass=inetrOrgPerson). Every Device can have owners (privileged user ) and users(non privileged user) associated with it. A User can be associated with one or more devices ( Numbers can be in thousands). Correspondingly a device can be associated to users . Users can be owners (Read/Write access to device attributes) of the device or simply have read permission on device attributes. So a given device can have two types of users with different privileges on it.

    Possible Solutions with Questions:

    1. We can leverage the “owner” attribute of the device object class and store one or more owners. Similarly I can create a custom multi-valued DN attribute to store the non privileged DN’s. Will this scale considering that a Device can have a few thousand users associated with it. Are there limitations on how many multivalued attributes can be enumerated using the REST API or the OpenDJ SDK?

    2. An Alternate solution is to create a group entry for each Device ( either static or dynamic ) and have nested sub groups “Owners” and “Users” and add members as DN’s to the relevant sub group. This leads to group explosion since now every device entry has a corresponding group entry and the referential integrity has to be maintained. Will this even scale where we could have millions of devices?

    • This topic was modified 6 years, 7 months ago by vasudevanms.

    Hi @vasudevanms
    This is a very interesting question, and while it’s kind of tied to OpenDJ (and would probably deserve to be discussed in the OpenDJ forum), it is a generic question of how to model complex relationship with LDAP.
    I think the proper answer will completely depend on the type of queries that you want to do against users and devices.
    But, if going with solution 1, I would definitely reuse the “Owner” attribute.
    OpenDJ doesn’t have any limitation with regards to the number of values that can be managed or returned, but it does impose a limit on the size of a request it can accept (and it can be tuned). The REST service, can have other internal limits.
    If there is a plan to have millions of devices, I wouldn’t go with the path of creating 3 groups per device. You may end up with more groups than devices.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?