[Freeipa-users] Practical and theoretical limits of FreeIPA

Dmitri Pal dpal at redhat.com
Mon Dec 29 21:11:47 UTC 2014 

TOn 12/22/2014 10:38 AM, Andrew Holway wrote:
> So I am looking at ways of building a distributed user database for 
> millions of users (specifically 5 million at the moment) and I am 
> thinking that freeIPA might be a good thing to test for this kind of 
> use case. I would assume that at least a third of these users would 
> want to authenticate every day however updates of data held in the 
> database would probably be quite rare.
>
> We need to have endpoints in a few regions and the Multi Master 
> Replication would take care of the back end problem for us quite well.
>
> Does anyone have any data on using freeIPA for this kind of thing. 
> What would be the caveats?

LDAP will be able to handle this amount of data however there are 
several recommendation other than what you can find here:
http://www.freeipa.org/page/Deployment_Recommendations

1. User account creation and modification.
If users are enrolled automatically and is expected to operate right 
away after the account is created you need to make sure you understand 
the latency of the LDAP replication.
Think about keeping affinity to a single server for the first user 
session. For modifications consider also keeping affinity to a separate 
server and not allow modifications to random replicas.
This approach will prevent random failures and negative user experience 
due to replication latency.
It is not an IPA recommendation BTW but rather a general LDAP related 
wizardry.
2. Make sure you have enough replicas but not too many. You would need 
to test your environment depending on the number of data centers across 
the globe and how users are distributed around the world.

Seems like a big project for some kind of online community. Any chance 
you can share more details?

We would not be surprised if there would be issues as you ramp up the 
environment.
To address environments like this we plan to change LDAP DB from BDB to 
MDB some time next year.
I suspect that as you grow your environment over time you should 
consider upgrading to the version that would implement this change.

>
> Thanks,
>
> Andrew
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141229/82306418/attachment.htm>

More information about the Freeipa-users mailing list