What kind of load will PaperCut put on my directory server?

KB Home   |   What kind of load will PaperCut put on my directory server?

PaperCut makes use of directory servers such as Active Directory, eDirectory, Open Directory and other LDAP and similar systems to retrieve information about users and groups. This enables single entry of your user and group information and efficient re-use of your existing IT infrastructure for printing purposes. It is common for PaperCut to deployed on sites with domains containing hundreds of thousands of users.

The following sections cover the different kinds of requests PaperCut makes to directory servers, and how they are handled efficiently.

Groups

The number of groups in a domain can vary significantly - from several to several hundred thousand. Rather than track all groups in the domain, PaperCut asks the administrator which groups are relevant to printing and tracks only those. When the administrator is selecting a group PaperCut will fetch a list of all groups in the domain. Once the relevant groups are selected PaperCut can simply use its internal (cached) list of groups and does not need to fetch them from the domain.

Group memberships are used to determine things like access control, print quota entitlements and reporting.

Caching Groups

Many of the operations outlined above, such as reporting, can occur at any time of the day. Group membership lookups can be quite intensive as there can be many users in a group and for this reason group membership is cached locally in the PaperCut database. Although relatively static in most organizations, group memberships can change, such as a student being added to a group when they become a teacher assistant so as to gain additional printing privileges, and for this reason group membership is regularly updated.

Group membership information is fetched:

  • overnight, during the automatic “user/group sync” (at 12:55am)
  • when an administrator manually initiates a full user/group sync, or when the equivalent API is called
  • when a new user is created “on-demand” (special case when a user prints before a full sync has taken place)

Group Membership Sync in Detail

Fetching group membership information involves one or more calls per group that has been added to PaperCut (with LDAP the results are batched into groups of 500, so groups with more members than this will take multiple calls to complete). The queries to fetch group memberships are performed with best practise AD/LDAP searches and batching behavior to minimize network round-trips, connection overhead and server load. The same LDAP practises are used across all LDAP directory server types include eDirectory and Open Directory.

User Details

This category includes several user-specific fields such as full name, email address, office and department.

Similarly to group membership, this information is used in reporting and is relatively static. For this reason PaperCut will cache user details in its database and also regularly update them from the user directory. The same efficient sync and caching behavior used for group memberships updates are used here.

User details are fetched:

  • overnight, during the automatic “user/group sync” (at 12:55am)
  • when an administrator manually initiates a full user/group sync, or when the equivalent API is called
  • when a new user is created “on-demand” (special case when a user prints before a full sync has taken place)

Authentication

User authentications can including logging into the user or admin web interfaces, logging into a release station or MFP, or authenticating a print job (pop-up authentication). In line with industry best practise PaperCut never caches passwords, and authentication is performed via the directory server in realtime.

PaperCut will make realtime calls to the user directory to perform user authentication. The technologies used are:

  • AD: SSP Logon
  • LDAP: Simple BIND followed by an LDAP user record lookup (to confirm the user exists in the directory)

Other

  • Active Directory is accessed using native Windows APIs (rather than a plain LDAP connection). This ensures all communication with Active Directory is secured via default configuration.
  • LDAP connections can be secured using LDAPS (TLS/SSL encryption).
  • PaperCut has been in production use integrating with enterprise directory services since 2004. It has been extremely rare for PaperCut’s synchronization process to cause any adverse network or directory server performance.
  • PaperCut does not enumerate AD print objects when performing a user/group sync.
  • All directory searches have been carefully crafted to support AD forests. PaperCut will not automatically transverse into other related domains unless explicitly configured.

Categories: Administration, Architecture, Domains / Directories, Implementation / Deployment, Networking, Performance and Optimization


Keywords: stress, OpenLDAP

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on November 19, 2012, at 06:49 AM
Printable View   |   Article History   |   Edit Article