From VYRE

Prior to the release of Unify 4.5, it was impossible to connect to LDAP servers that contained a large number of users. This article will explain how this is now possible using some of the new features which were introduced in that release.

Contents 1 Default (non scalable) behaviour 1.1 LDAP Realm 1.2 LDAP Sub Realm 2 New Scalable behaviour 2.1 Disadvantages 3 Conclusion

Default (non scalable) behaviour

The behaviour that occurs in versions prior to 4.5 and in 4.5 when the new options are not activated are as follows. As you will notice, this works well for small LDAP servers but does not scale well when there are many users.

LDAP Realm

When a LDAP Realm is create the entire list of Users is retrieved from the LDAP server. For each user on the LDAP server, a user profile is created. The user and groups are not stored locally. For each subsequence refresh of the users in the LDAP realm a list of users is again retrieved from the LDAP server. For each user that is retrieved a check is made to make sure their profile exists and if it doesn't, it will be created.

LDAP Sub Realm

When the LDAP Sub Realm is synchronized for the first time the entire list of users is retrieved from the LDAP server. If group synchronization for the consolidated realm is turned on, a list of groups is also retrieved and for each group that is retrieved, a group is created in consolidated realm. For each user retrieved from the LDAP server, a user record is created in the consolidated realm and if group synchronization is turned on the user is added to the correct groups. A profile is also created for that user.

For each subsequence resynchronization of the realm (triggered by the CRON expression or by pressing the sync and reindex button) a list of all users is again retrieved from the LDAP server and a list of users that have already been synchronized is load from Unify. The list is compared, any new users from the LDAP server are created in Unify and any users which exist in Unify but no longer exist on the LDAP server are removed from Unify and their profile deactivated.

New Scalable behaviour

To overcome the scalability issues with the default behaviour a new option called Create users on demand was added to the LDAP realms in Unify 4.5. Turning this on will do exactly what it says. Instead of generating all users at the point of synchronization, that synchronization no longer occurs and instead the users are created as they log into Unify for the first time.

Disadvantages

This does have a number of disadvantages compared to the default method described above.

• It is impossible to generate an accurate count of users in the realm. This is due to their being no method to retrieve the total number of users from a LDAP server that is implemented by all venders.
• It is also impossible to every get an accurate representation of the LDAP users in a Unify index. This is because when this option is turned on, Unify will never get the entire list of users from the LDAP server. It instead assumes that the list is going to be too big to handle.
• LDAP Sub Realms will no longer support the ability to remove users from Unify who have been deleted from the LDAP server. Deleted user will of cause still no longer be able to log in since the authentication is done on the LDAP server.

Conclusion

If you are dealing with a large LDAP realm and do not care about the index (e.g. do not require the ability to search all users on the Unify side) always turn Create users on demand on. However, if you are dealing with a small set of users it is fine to leave Create users on demand off.