[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL processing performance
Christian Manal <moenoel@informatik.uni-bremen.de> writes:
> Hi,
>
> I've got a question regarding ACLs and their processing performance.
>
> I use the NIS-schema to store userinformation and the likes in
> OpenLDAP (using the maps passwd, group, services, ethers, hosts,
> automount stuff etc.) plus samba-schema plus some self defined stuff.
>
> I have ACLs defined for some special attributes, like userPassword, and
> for each OU (People, Groups, ...).
>
> If I start multiple searches without a filter (so everythin accessible
> will be displayed) anonymously or with some user, I can get the CPU load
> of my servers up to 80-90%. It's definitely the ACLs, since I have no
> problems when using the rootDN or if I reduce the ACLs.
>
> What I'd like to know now is, what is so damn expensive in my ACLs and
> how I could reduce the cost without lessening the access restrictions...
>
>
> OpenLDAP version is 2.4.17 using back-hdb with BDB 4.4 from opencsw
> respository on Solaris 10 (SunOS 5.10 Generic_139556-08). There are
> around 30k entries in my database. I have one master and four slaves
> using delta-syncrepl for replication.
>
>
> Configuration files can be found here:
>
> http://www.informatik.uni-bremen.de/~moenoel/ldap/
You make use of sets quite heavily, regular expressions always require
plenty of resources.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E