Re: access control with dn=*. gives bad performance

[Tony Earnshaw <tonni@billy.demon.nl>]

ons, 2002-11-20 kl. 13:23 skrev Hul van den, G (Gerrit):

> I'have added extra rules in my access control list, for example:
> 	access to dn=".*,bankcode=(.*),ou=lb,o=rabobank,c=nl" attr="roleid"
> 		by dn="cn=updater,bankcode=$1,ou=lb,o=rabobank,c=nl" write
> 		by dn="cn=sysbeheer,ou=beheer,ou=lb,o=rabobank,c=nl" write
> 		by * read
> to get write access tot the 'roleid' attribute by 'sysbeheer'.
> This results in a bad performance.

> I've changed the rules (removed the .* after dn=):
> 	access to dn="bankcode=(.*),ou=lb,o=rabobank,c=nl" attr="roleid"
> 		by dn="cn=updater,bankcode=$1,ou=lb,o=rabobank,c=nl" write
> 		by dn="cn=sysbeheer,ou=beheer,ou=lb,o=rabobank,c=nl" write
> 		by * read
> The performance is nearly back to the old level and i've write access tot
> all the sublevels of bankcode=(.*),ou=lb,o=rabobank,c=nl" attr="roleid.

> This is what i want, but i don't understand why i have write access to the
> sublevels? 

It has been written by those who know, in this group, that both syslog
and use of regexes take an enormous toll on performance. How you can
best avoid the regexes in certain situations was described by Kurt Z. on
the 11th November last.

Also bear in mind, that later versions (like 2.1.x and greater with BDB
4.x) of Openldap can give added advantages, if not performance.

Best,

Tonni

-- 

Tony Earnshaw

Ik *weet* wat de Rabobank is en dat zij geleidelijk meer hart
draagt voor Linux. Desalniettemin, met dit soort poging, ben ik
blij dat de ING "mijn bank" is :-)


e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl