LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
6.6 Performance impact for dynamic groups
The dynamic group is specified by either an LDAP web address or a search filter. Depending on
how you configure dynamic groups, there could be a lot of LDAP searches involved. In that case,
the performance of those applications calling getgrnam(), getgrgid(), or getgrent() (for
example, the commands id, groups, and so forth) will be affected. For more information about
these commands, see their manpages (getgrname(3), getgrgid(3), getgrent(3)).
To reduce the performance impact, the LDAP-UX client daemon (ldapclientd) caches dynamic
group information, including dynamic members that belong to a specific group and dynamic
groups that a specific user belongs to. The caching reduces the response time for ldapclientd
information return. However, before the cache is established (that is, at the very first request) or
when the cache expires, you might experience longer response times. For more information about
dynamic group caching, see Section 6.7 (page 181).
6.6.1 Enabling and disabling enable_dynamic_getgroupsbymember
Processing dynamic groups that a specific user belongs to might potentially impact the user login
time. To control the operation for processing dynamic groups a specific user belongs to, LDAP-UX
Client Services supports the enable_dynamic_getgroupsbymember configuration parameter
in the /etc/opt/ldapux/ldapux_client.conf file.
This integer variable controls whether to enable or disable processing dynamic groups that a
specific user belongs to. The valid values of this option are 1 and 0.
By default, LDAP-UX returns the dynamic groups to which a user belongs if the group attribute,
memberUid, is mapped to memberURL or nxSearchFilter (in an HP directory server
environment) or msDS-AzLDAPQuery (in a Windows ADS environment). A user that belongs to
many dynamic groups might experience an unexpected delay when logging into an HP-UX client
system. You can reduce the delay by disabling LDAP-UX from returning dynamic groups that a
specific user belongs to unless the user specifically uses the newgrp command. As a result, the
user will not have access granted to those dynamic groups, and the id command will not show
those groups. To disable LDAP-UX from returning dynamic groups for all users, set
enable_dynamic_getgroupsbymember to 0. The default value is 1, which enables returning
dynamic groups.
NOTE: When the enable_dynamic_getgroupsbymember variable is set to 0, LDAP-UX still
returns dynamic members for a specific group. If you do not want any dynamic members returned,
you must not include the memberURL and nxSearchFilter attributes or the msDS-AzLDAPQuery
attribute in the memberUid group attribute mapping. This completely disables the LDAP-UX dynamic
group functionality.
6.7 Configuring dynamic group caches
To improve performance of dynamic groups, the LDAP client daemon ldapclientd caches
dynamic group members to reduce the LDAP-UX client response time while retrieving dynamic
group information. This cache is maintained in an independent memory space not shared with the
cache for other service data.
To configure dynamic group caches, set the parameters defined in the [dynamic_group] section
of the /etc/opt/ldapux/ldapclientd.conf file. For more information, see Section 7.1.3
(page 184).
6.6 Performance impact for dynamic groups 181