LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
For example, if a user belongs to 8 static groups and 20 dynamic groups, and you map memberUid
to memberUid msDS-AzLDAPQuery , LDAP-UX will return 8 static groups and 12 dynamic
groups. If you map memberUid to msDS-AzLDAPQuery memberUid, LDAP-UX will return 20
dynamic groups without any static groups.
NOTE: As of HP-UX release 11i v3, you can increase the number of groups a user can be a
member of (instead of the default 20). This capability is documented in the Group Membership
Expansion: Guidelines for Deployment document found at:
http://www.hp.com/go/hpux-core-docs
Be aware that with dynamic group membership, performance of initgroups() (and indirectly
login) will linearly degrade as the number of dynamic groups increases.
5.6 Performance impact for dynamic groups
The dynamic group is specified by a search filter. Depending on how you configure dynamic
groups, potentially, there could be a lot of LDAP searches involved. In that case, the performance
of those applications calling getgrnam(), getgrgid() or getgrent()(3C) (e.g. the command
"id", "groups", etc) will be affected.
In order to reduce the performance impact, LDAP-UX Client daemon, ldapclientd, caches
dynamic group information, including dynamic members that belongs to a specific group, and
dynamic groups that a specific user belongs to. The caching will reduce the response time the
ldapclientd daemon to return information. However, before the cache is established (i.e. the
very first request) or when the cache expires, you may experience longer response time. See
Section 5.7 (page 82) for detailed information on dynamic group caching.
5.6.1 Enabling/Disabling enable_dynamic_getgroupsbymember
Processing dynamic groups that a specific user belongs to can potentially impact the user login
time. To control the operation for processing dynamic groups a specific user belongs to, LDAP-UX
Client Services supports the following configuration parameter,
disable_dynamic_getgroupsbymember, in the /etc/opt/ldapux/ldapux_client.conf
file:
enable_dynamic_getgroupsbymember
This integer variable controls whether to enable or disable the operation for processing dynamic
groups that a specific user belongs to. The valid values of this option are 1 and 0.
By default, LDAP-UX returns dynamic groups that a user belongs to if the group attribute,
memberUid, is mapped to msDS-AzLDAPQuery. If a user belongs to many dynamic groups,
he/she may experience an unexpected delay when logging into an HP-UX client system. You can
eliminate the delay by disabling LDAP-UX of returning dynamic groups that a specific user belongs
to unless he/she specifically uses the newgrp command. As a result, the user will not have access
granted to those dynamic groups, and the "id" command will not show those groups. To disable
it, set enable_dynamic_getgroupsbymember to 0. This parameter configuration does not
affect the operation of processing dynamic members for a specific group. The default value is 1
to enable it.
5.6 Performance impact for dynamic groups 81