[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question about ldap filter



Jason Voorhees writes:
> mmm, I'm planning to build something like this in /etc/saslauthd.conf:
> 
> (&(mail=%U@%d)(|(&(objectClass=VirtualMailaccount)(accountActive=TRUE))(objectClass=VirtualMailAlias)))

I don't know saslauthd, but: Will (mail=%U@%d) match at most one entry?
Then if you have an 'eq' index for 'mail', slapd won't need to compare
more than one entry with the filter.  Since the 'or' filter is inside
the 'and', it won't be a problem in this repect.

> that tries to locate two kind of entries:
> 
> 1. mail=user@domain,vd=domain,o=hosting,dc=myldap,dc=com
> (VirtualMailAccount)

If you do a baseobject search at that baseDN, that's also just
one entry to examine.

> 2. cn=postmaster,vd=domain,o=hosting,dc=myldap,dc=com
> (VirtualMailAlias)
> 
> There could be hundreds or maybe thousand of entries of type (1), but
> only 1 entry of type (2).

If mail is indexed, that's fine.

> The filter shown above is used to authenticate users trough saslauthd.
> So 95% of times users authenticate using type (1), but sometimes I would
> need to authenticate as 'postmaster' using type (2).
> 
> I was worried about performance because using
> (objectClass=VirtualMailAlias) with OR just for a unique account in my
> domain.
> 
> Would I get much better performance if remove
> (objectClass=VirtualMailAlias) from the filter?
> Do you believe that the performance impact will be big?

No, not much.

-- 
Hallvard