[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL processing very slow (ITS#997)

At 03:44 PM 1/27/01 +0000, zdenek.pavlas@nextra.com wrote:
>I don't think the acl complexity is to be accounted for the slowdown. I use no
>more than 10 'access to dn=.*,<literal> [attr=list]' clauses, each with some 3-6
>'by group=<literal> read/write' rules.

groups are expensive.

>Since the group membership is evaluated just once at the bind time

That's false.  Group membership is evaluated dynamically upon
each and every use.

>the only
>somewhat expensive thing left is matching each of the 300 candidate DNs to (at
>most) 10 regexps- but I believe this may not be and issue.

regex'ing performance depends on numerous factors.  In general,
the less rules the better... that is, better performance can be
often be gained by use of a few complex regex instead of
zillions of simple regexes. YMMV.

>Is there something wrong with my slapd.conf? I need to control access to
>different subtrees, and in addition to handle some attributes differently.
>ing. Zdenek Pavlas
>Developer, Nextra CZ