group membership evaluation vs caching

This topic has 5 replies, 3 voices, and was last updated 1 month, 1 week ago by fletches40.

  • Author
    Posts
  • #28644
     fletches40
    Participant

    We have a situation where we have a web policy agent protecting URLs via a policy based on group member ship.
    The groups in question are sometime quite large (30K+ members). What appears to be happening is that every time someone accesses the resource the entire group list is dragged back from LDAP. Given this can be many times as per second the traffic and load between OpenAM and LDAP is excessive.

    idm caching is on but does not appear to be having much impact.

    Is there any way to change the behaviour from “let’s grab the entire group list and see if the user in question is in there?” to “is the user a member of this group?”

    For the purposes of transparency I should say the system in question is OpenAM v11 with WPA 3.3.4.

    #28650
     Scott Heger
    Participant

    Are you using static or dynamic groups?

    #28653
     fletches40
    Participant

    static

    #28657
     Scott Heger
    Participant

    I assume your identity store is OpenDJ. What version of that are you using? There may be a way to use an LDAP filter condition in your policy vs group membership but I need to check what your version of DJ provides with regards to static groups.

    #28658
     fletches40
    Participant

    Datastore is ODSEE.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?