seojeong kim via FreeIPA-users wrote:
Hello Rob As you said, If any group member exceed 3K then you can experience slow down in server response. But in the big size of operation environment, members( especially the number of hosts) exceeding 3k is not that uncommon. So, I wonder if there is any way you recommend to manage this case such as you split up into several groups internally, or disable some configurations. If there is no reference or guide from IPA about that, I have no option but to face slow-down performance issue ?
We consider an API call to be "slow" if it takes > 2s. At 3k a group adding a new member tends to exceed that. Not by a lot but the more members, the slower it gets. I didn't test member removal from a group > 3k but its likely to be similar.
I also didn't test absolutely massive groups. I was only looking to find out where adding a new member exceeded 3s. So I have no graphs on the rate at which adding a new member slows.
Splitting groups using nesting results in the same problem. The underlying issue is the memberof plugin in 389-ds which calculates the membership. There is no getting around it.
Work is happening to address the known performance issues but I'm not doing the work and have no insight into their progress. All I know is that it's a hard nut to crack.
Currently there are no known mitigations.
rob