An inverted static group stores its group distinguished name (DN) in the user
entries of its members, unlike a traditional static group, which stores the DNs of its
members in a member
attribute (or uniqueMember
attribute)
belonging to the group entry.
Inverted static groups address some of the challenges that can accompany traditional static groups, including:
- Scalability
- Large traditional static groups mean that you have a large number of members and a
corresponding large number of values for the
member
attribute.- Those large entries are expensive to update, because the server has to rewrite the entire entry for a single change.
- Large entries also require more garbage collection in the database, which puts more pressure on the cleaner.
- Nesting
-
- Traditional static groups can include other groups, and the members of those groups are considered nested members of the outer group. This makes it more complicated to determine whether a user is a member of a group, and the server has to maintain a cache of traditional static group membership to be able to do this quickly, at the cost of additional memory usage.
- The server must do extra processing for changes to group membership, which can be computationally expensive operations.
Why use inverted static groups?
Using inverted static groups enables you to update membership in groups by updating the user entry instead of the group entry. Assuming that individual users aren’t members of a large number of groups, you can make these updates without the same loss in performance that you might experience when updating large traditional static groups. For example, adding a user to a group with a million members is as fast as adding a user to a group with a couple of members.
If a user is a member of a large number of inverted static groups, then maintaining a large list of inverted static group memberships in the user's entry could become expensive in the same way as maintaining a large member list for a traditional static group.
To achieve the best performance in an environment that contains a large number of groups, and that has some large groups and some users that are members of many groups, consider using a mix of traditional and inverted static groups. Use the inverted static groups for groups that have a large number of members and traditional static groups for groups with a small number of members.
Additionally, nested inverted static groups are designed to eliminate the need for caching of inverted static group members, reducing memory pressure and improving server performance. For more information, see Using nesting with inverted static groups.