Re: Perfomance with ACLs

[jgaleano@gva.es]

Mensaje citado por: "Kurt D. Zeilenga" 
<kurt@openldap.org>:

> At 06:59 PM 10/19/99 +0200, Joaquin Galeano wrote:
> >I'm trying to set up acls with our directory in order 
to limit access to
> >administrators. The thing is that with those controls 
we have a very
> >very bad performance. Is that normal?
>
> It's easy to write poorly performing access 
controls...
>
> >Is there a way to reduce the performace lose?
>
> A few general hints:
>
> 1) combine rules

I have tried with only one rule. In this case, the rule 
is exactly like the following:

access to dn="ou=suborg-1,o=org,c=ES"
   by dn="cn=admin,ou=suborg-n,o=org,c=ES" write

defaultaccess read

With that only rule, the time it takes to get a full 
listing of the entries under ou=suborg-1 is quite more 
than the time it takes to return the list without the 
rule.

> 2) use efficient regular expressions

I have also tried with other sintax but I got the same 
performance fall.

> 3) avoid expensive acl features

I think the rule I set up is the simplest (isn't it?)

Perhaps is a matter of not listing all the entries: an 
increment of the required time could be more 
'affordable' in cases of searches, but it's only a 
question of reducing the base time and the problem would 
appear again with a hard use of the service.

>
> Also note that you might want to experiment with a 
differnet
> regex library.
>

I read about using gnu regex library in the list 
archive, but haven't still installed it (I thought I 
wasn't using regular expressions, so I seemed of little 
influence to me).

Thanks for your answer and thanks in advance for any 
other indication/correction.