Fedora directory users - Jun 2006 - data design for inactive users?

In our ldap we do not delete users, we deactivate them
with nsaccountlock. All user entries are in the same
branch of the tree. In this data structure, all uid''s
are unique and are not used again.

Ok well now our ldap is getting large and I would like
active users separate from inactive users to provide
better search performance. AFAIK lot of services keep
uid''s so they cannot be used again. What''s a good
design approach? Do inactive users move to another
tree? Maybe move to another server and use a referral
somehow. What do ldap admins do with all this dead
weight? :)


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Did you have a chance to see these docs?
"Preventing Authentication by Account Inactivation" in Directory
Server
Deployment Guide:
http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/aci.html#17614

And the command line scripts ns-activate.pl, ns-inactivate.pl, 
ns-accountstatus.pl.
Configuration, Command, and File Reference
PDF <http://www.redhat.com/docs/manuals/dir-server/pdf/ds71cli.pdf> 
(2608 KB)
Page 277-279

--noriko

Scott wrote:
> In our ldap we do not delete users, we deactivate them
> with nsaccountlock. All user entries are in the same
> branch of the tree. In this data structure, all uid''s
> are unique and are not used again.
>
> Ok well now our ldap is getting large and I would like
> active users separate from inactive users to provide
> better search performance. AFAIK lot of services keep
> uid''s so they cannot be used again. What''s a good
> design approach? Do inactive users move to another
> tree? Maybe move to another server and use a referral
> somehow. What do ldap admins do with all this dead
> weight? :)
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Scott wrote:
>In our ldap we do not delete users, we deactivate them
>with nsaccountlock. All user entries are in the same
>branch of the tree. In this data structure, all uid''s
>are unique and are not used again.
>
>Ok well now our ldap is getting large and I would like
>active users separate from inactive users to provide
>better search performance. AFAIK lot of services keep
>uid''s so they cannot be used again. What''s a good
>design approach? Do inactive users move to another
>tree? Maybe move to another server and use a referral
>somehow. What do ldap admins do with all this dead
>weight? :)
>  
>
I''m curious why you think search performance will suffer.
Are you worried about totally unindexed searches ?

Some supporting data would be useful : number of users,
inactive users, some example searches that you see slow down,
and so on.

Per se, searches should not be slower when you take the approach
you have.

On 6/13/06, Scott <rinconsystems@yahoo.com> wrote:
>
> Ok well now our ldap is getting large and I would like
> active users separate from inactive users to provide
> better search performance.

Kind of puzzled by the above statement - do you have performance data that
establishes this fact ?

:Sankarshan


-- 
You see things; and you say ''Why?'';
But I dream things that never were;
and I say ''Why not?'' - George Bernard Shaw

Thanks for the replies, sorry to be vague. Maybe I
dont have anything to worry about. I have 30k current
users, and 70k inactive users (approx). My current
user base will remain the same, but obviously my
inactive users continue to grow.

Yes directories can scale well beyond those numbers.
Except for provisioning applications, I assume you
would want authn apps etc. pointing to a base of
current users. Why point at 100k when you are using
just 30k?

Another assumption :) big companies with huge ldap''s
where uid''s dont expire... Do they just keep all the
entries together? I thought maybe there was some
normal practice in this situation.


--- David Boreham <david_list@boreham.org> wrote:
> Scott wrote:
> 
> >In our ldap we do not delete users, we deactivate
> them
> >with nsaccountlock. All user entries are in the
> same
> >branch of the tree. In this data structure, all
> uid''s
> >are unique and are not used again.
> >
> >Ok well now our ldap is getting large and I would
> like
> >active users separate from inactive users to
> provide
> >better search performance. AFAIK lot of services
> keep
> >uid''s so they cannot be used again. What''s a good
> >design approach? Do inactive users move to another
> >tree? Maybe move to another server and use a
> referral
> >somehow. What do ldap admins do with all this dead
> >weight? :)
> >  
> >
> I''m curious why you think search performance will
> suffer.
> Are you worried about totally unindexed searches ?
> 
> Some supporting data would be useful : number of
> users,
> inactive users, some example searches that you see
> slow down,
> and so on.
> 
> Per se, searches should not be slower when you take
> the approach
> you have.
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com