Re: Question about ldap filter

[Jason Voorhees <jvoorhees1@gmail.com>]

mmm, I'm planning to build something like this in /etc/saslauthd.conf:

(&(mail=%U@%d)(|(&(objectClass=VirtualMailaccount)(accountActive=TRUE))(objectClass=VirtualMailAlias)))

that tries to locate two kind of entries:

1. mail=user@domain,vd=domain,o=hosting,dc=myldap,dc=com
(VirtualMailAccount)

2. cn=postmaster,vd=domain,o=hosting,dc=myldap,dc=com
(VirtualMailAlias)

There could be hundreds or maybe thousand of entries of type (1), but
only 1 entry of type (2).
The filter shown above is used to authenticate users trough saslauthd.
So 95% of times users authenticate using type (1), but sometimes I would
need to authenticate as 'postmaster' using type (2).

I was worried about performance because using
(objectClass=VirtualMailAlias) with OR just for a unique account in my
domain.

Would I get much better performance if remove
(objectClass=VirtualMailAlias) from the filter?
Do you believe that the performance impact will be big?



Hallvard B Furuseth escribió:
> Jason Voorhees writes:
>> Thanks. That allows me to build complex filters using OR logic without
>> being worried about performance.
> 
> Sorry, no.  First slapd must locate all entries to compare with the
> filter.  For that it uses indexes.  First it uses the DN index, to find
> just the entry IDs of just entries in the search scope.
> 
> Then if all the ORed components are indexed, it can narrow this list
> further down by only checking entries that match one of the filter
> components.  OTOH if one of the ORed components is not indexed, slapd
> cannot narrow down the entry candidate list further.
> 
> Finally it checks each candidate entry against the filter.  When
> checking an entry, slapd can indeed stop the first time an OR yields
> TRUE.  Or the first time an AND yields not-TRUE (FALSE or Undefined).
>