[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL processing very slow (ITS#997)

To: openldap-its@OpenLDAP.org
Subject: ACL processing very slow (ITS#997)
From: zdenek.pavlas@nextra.com
Date: Sat, 27 Jan 2001 15:44:19 GMT

Full_Name: Zdenek Pavlas
Version: 2.0.7
OS: Debian Linux, 2.2.15 kernel, libc6 2.2.1-1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (194.149.103.141)


Hello,

We run a server handling some 60k records. The performance used to be fine until
I had to refine access rights. A simple '-b foo -s one objectClass=*' search
returning <300 entries now takes almost a minute when bound as user. The exactly
same search finishes almost immediately when bound as admin.

I don't think the acl complexity is to be accounted for the slowdown. I use no
more than 10 'access to dn=.*,<literal> [attr=list]' clauses, each with some 3-6
'by group=<literal> read/write' rules.

Since the group membership is evaluated just once at the bind time the only
somewhat expensive thing left is matching each of the 300 candidate DNs to (at
most) 10 regexps- but I believe this may not be and issue.

Is there something wrong with my slapd.conf? I need to control access to
different subtrees, and in addition to handle some attributes differently.

ing. Zdenek Pavlas
Developer, Nextra CZ
zdenek.pavlas@nextra.com
+420-5-43554-170

Prev by Date: slapd error (ITS#996)
Next by Date: ITS #989 rewrite capabilities in back-ldap (ITS#998)
Index(es):
- Chronological
- Thread