[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Performance considerations in a possible LDAP ACM implementat ion

To: Bruce Greenblatt <bgreenblatt@directory-applications.com>, ietf-ldapext@netscape.com
Subject: RE: Performance considerations in a possible LDAP ACM implementat ion
From: Purushottam Goel <pgoel@aztec.soft.net>
Date: Thu, 9 Aug 2001 21:59:56 +0530

I agree with you, Bruce.

However, what I am attempting to point out is that:
1. The model proposed in the ID is very complex. Maybe one can looking at
simplifying it (probably by pushing some of the MUST clauses to OPTIONAL
ones).

2. Most commercial directory servers use highly proprietary techniques for
storing ACL's (e.g. bitmaps, etc.), and employ decision algorithms that give
very quick results. But when we are standardizing the ACL structures as they
are in the ID, I would imagine that it would cause a significant overhead.
Am I missing something?
An analogy, may not be a very sound one, is the significant drop in
performance that we observe when we use LDAP to access the directory, vs. a
proprietary protocol/client such as the DClient in case of NDS (Novell DS).
But I guess that is a futile and endless debate...

_Puru

-----Original Message-----
From: Bruce Greenblatt [mailto:bgreenblatt@directory-applications.com]
Sent: Thursday, August 09, 2001 7:54 PM
To: Purushottam Goel; ietf-ldapext@netscape.com
Subject: Re: Performance considerations in a possible LDAP ACM
implementation

I disagree.   All LDAP servers that I know have an existing access control 
model that they implement.  This is an attempt to have the different LDAP 
servers use a common mechanism.

Bruce

At 06:52 PM 8/9/01 +0530, Purushottam Goel wrote:
>Hi All,
>
>Looking at the complexity in v8 if the ACM for LDAPv3, it seems that there
>would be significant performance hits that LDAP servers will face vis-à-vis
>the current situation where there is no ACM at all. The examples in section
>4.3.5 illustrate the amount of computations and lookups that need to be
done
>just to discover if a subject is allowed an operation or not.
>
>I feel that the biggest performance issue will be in step 1 of Phase 1 (in
>section 4.3.4), where the ACM module will have to determine all the
>subtreeACI values that apply to the targetEntry.
>
>Any ideas/inputs on possible implementation strategies to overcome the
>performance devil are welcome.
>
>_Puru

==============================================
Bruce Greenblatt, Ph. D.
Directory Tools and Application Services, Inc.
http://www.directory-applications.com

Prev by Date: FWD:SEARCH ENGINE TRAFFIC NOW
Next by Date: 10,000 cash loan in 30 days 1293630
Index(es):
- Chronological
- Thread