oCIS embedded LDAP server, how far can it go?


Thank you for the great product.

I was able to successfully install the latest version of oCIS, and now I’m looking to learn more about the technical aspects. Specifically, I have some questions about the IDP/IDM services.

I noticed in the documentation that the embedded LDAP, which is based on LibreGraph Identity Management, is primarily intended for smaller installations. I’m curious to know more about the limitations of this implementation. Are there limitations in terms of the number of users and groups, or in terms of I/O? If so, what is the estimated limit for each?

Additionally, could you recommend any alternative products to replace that part?

Thank you.

Hi, thanks for your interest in ownCloud Infinite Scale.

There is not an explicit limitation in the code of the internal IDM, and it will be fine for production setups as well, as long the hardware is capable and the feature set is ok. We are not planning to extend it endlessly to not reinvent the wheel, there are great solutions available that can be used instead.

However, keep in mind that the way how Infinite Scale is deployed might require a different IDM/IDP. That is documented here: Deployment Considerations :: ownCloud Documentation


As @dragotin already stated the builtin LDAP server does not have any hardcoded limits in terms or number of users or groups. As also stated in the docs It obviously has some implementation related limitations. E.g. it is not really fully standards compliant. It really only supports what we needed in oCIS.

Performance wise the biggest limitation currently is, that it does not support good indexing for attribute values. So user/group lookups will become slow when there are too many objects in the database.

Also the service does not provide any means to set it up in a HA fashion (not replication or support for shared storage).

I don’t have any strong numbers to support this but I’d expect it to perform well enough for small setups with up to a hundred (maybe more) user/groups.

As soon as you have stricter requirements on availability or want to scale out I’d recommend switching to a “real” LDAP server. OpenLDAP does seem to be one of the obvious choices for that (I might be a bit biased here). An OpenLDAP based setup is part of our deployment examples: Container Orchestration :: ownCloud Documentation


@dragotin @rhaferkamp thank you for your answers :+1:
Considering that we need to accommodate several thousand groups, it would be safer to opt for an installation that uses a “real” LDAP server.

1 Like

Oh yes, absolutely.

For help, you can call in to owncloud.com


1 Like