[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question about ldap filter



Hallvard B Furuseth escribió:
> Jason Voorhees writes:
>> mmm, I'm planning to build something like this in /etc/saslauthd.conf:
>>
>> (&(mail=%U@%d)(|(&(objectClass=VirtualMailaccount)(accountActive=TRUE))(objectClass=VirtualMailAlias)))
> 
> I don't know saslauthd, but: Will (mail=%U@%d) match at most one entry?

Yes, it always match only one entry per search operation.

> Then if you have an 'eq' index for 'mail', slapd won't need to compare
> more than one entry with the filter.  Since the 'or' filter is inside
> the 'and', it won't be a problem in this repect.
> 
Yes, I mantain 'eq' index for 'mail' atttributes.

>> that tries to locate two kind of entries:
>>
>> 1. mail=user@domain,vd=domain,o=hosting,dc=myldap,dc=com
>> (VirtualMailAccount)
> 
> If you do a baseobject search at that baseDN, that's also just
> one entry to examine.
> 
>> 2. cn=postmaster,vd=domain,o=hosting,dc=myldap,dc=com
>> (VirtualMailAlias)
>>
>> There could be hundreds or maybe thousand of entries of type (1), but
>> only 1 entry of type (2).
> 
> If mail is indexed, that's fine.
> 
>> The filter shown above is used to authenticate users trough saslauthd.
>> So 95% of times users authenticate using type (1), but sometimes I would
>> need to authenticate as 'postmaster' using type (2).
>>
>> I was worried about performance because using
>> (objectClass=VirtualMailAlias) with OR just for a unique account in my
>> domain.
>>
>> Would I get much better performance if remove
>> (objectClass=VirtualMailAlias) from the filter?
>> Do you believe that the performance impact will be big?
> 
> No, not much.
> 

Thanks a lot Hallvard, bytes! :)