[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Performance considerations in a possible LDAP ACM implementat ion

To: "Purushottam Goel" <pgoel@aztec.soft.net>, <ietf-ldapext@netscape.com>, "Bruce Greenblatt" <bgreenblatt@directory-applications.com>
Subject: RE: Performance considerations in a possible LDAP ACM implementat ion
From: Rob Byrne - Sun Microsystems <Robert.Byrne@Sun.COM>
Date: Thu, 9 Aug 2001 20:11:14 +0-200

Purushottam,

I don't believe there is anything in this model that is unusually (for ACMs)
performance hungry.  If anything, this model lacks some functionality that alot
of vendors have that would be even more performance hungry...eg. matching on
resources based on LDAP filters.

The key to making efficient implementations of ACMs (it seems to me) is to get 
the caching of aci values and effective rights down so you do the minimum
amount of work as you visit different entries or attributes during a given operation.
How well they acomplish this is a way for vendors to distinguish themselves
while still offering a standard model.

Rob.

>I agree with you, Bruce.
>
>However, what I am attempting to point out is that:
>1. The model proposed in the ID is very complex. Maybe one can looking at
>simplifying it (probably by pushing some of the MUST clauses to OPTIONAL
>ones).
>
>2. Most commercial directory servers use highly proprietary techniques for
>storing ACL's (e.g. bitmaps, etc.), and employ decision algorithms that give
>very quick results. But when we are standardizing the ACL structures as they
>are in the ID, I would imagine that it would cause a significant overhead.
>Am I missing something?
>An analogy, may not be a very sound one, is the significant drop in
>performance that we observe when we use LDAP to access the directory, vs. a
>proprietary protocol/client such as the DClient in case of NDS (Novell DS).
>But I guess that is a futile and endless debate...
>
>_Puru
>
>
>-----Original Message-----
>From: Bruce Greenblatt [mailto:bgreenblatt@directory-applications.com]
>Sent: Thursday, August 09, 2001 7:54 PM
>To: Purushottam Goel; ietf-ldapext@netscape.com
>Subject: Re: Performance considerations in a possible LDAP ACM
>implementation
>
>
>I disagree.   All LDAP servers that I know have an existing access control 
>model that they implement.  This is an attempt to have the different LDAP 
>servers use a common mechanism.
>
>Bruce
>
>At 06:52 PM 8/9/01 +0530, Purushottam Goel wrote:
>>Hi All,
>>
>>Looking at the complexity in v8 if the ACM for LDAPv3, it seems that there
>>would be significant performance hits that LDAP servers will face vis-à-vis
>>the current situation where there is no ACM at all. The examples in section
>>4.3.5 illustrate the amount of computations and lookups that need to be
>done
>>just to discover if a subject is allowed an operation or not.
>>
>>I feel that the biggest performance issue will be in step 1 of Phase 1 (in
>>section 4.3.4), where the ACM module will have to determine all the
>>subtreeACI values that apply to the targetEntry.
>>
>>Any ideas/inputs on possible implementation strategies to overcome the
>>performance devil are welcome.
>>
>>_Puru
>
>==============================================
>Bruce Greenblatt, Ph. D.
>Directory Tools and Application Services, Inc.
>http://www.directory-applications.com
>

Prev by Date: 10,000 cash loan in 30 days 1293630
Next by Date: What it takes to Make Money in MLM..
Index(es):
- Chronological
- Thread