[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Perfomance with ACLs

At 06:40 PM 10/20/99 +0200, jgaleano@gva.es wrote:
>> At 06:59 PM 10/19/99 +0200, Joaquin Galeano wrote:
>> >I'm trying to set up acls with our directory in order 
>to limit access to
>> >administrators. The thing is that with those controls 
>we have a very
>> >very bad performance. Is that normal?
>> It's easy to write poorly performing access 
>> >Is there a way to reduce the performace lose?
>> A few general hints:
>> 1) combine rules
>I have tried with only one rule. In this case, the rule 
>is exactly like the following:
>access to dn="ou=suborg-1,o=org,c=ES"
>   by dn="cn=admin,ou=suborg-n,o=org,c=ES" write
>defaultaccess read

I recommend that you use "defaultaccess none" and adjust
your ACL to grant permission as needed.  This can be
done with limited overhead.

In your case:

defaultaccess none
access to dn="ou=suborg-1,o=org,c=ES"
   by dn="cn=admin,ou=suborg-n,o=org,c=ES" write
   by * read
access to * by * read

would provide the same result.

Besides all the other reasons for defaulting access to 'none',
I need to add a new one:

Use of access directives without 'defaultaccess none' will
not be compatible with OpenLDAP 2.0.  In 2.0, the above
rewrite will be required as default access will no longer
effect access directives.  It's used solely to define an
access level when no access directives are defined.

>With that only rule, the time it takes to get a full 
>listing of the entries under ou=suborg-1 is quite more 
>than the time it takes to return the list without the 

Could be logging... ACL code does a lot.

>> 2) use efficient regular expressions
>I have also tried with other sintax but I got the same 
>performance fall.

Your regex are simple and, hence, quite efficient.

>> 3) avoid expensive acl features
>I think the rule I set up is the simplest (isn't it?)

Yes.  I was referring to ACL Groups and, to a lesser
degree, dnattr and filters.

>Perhaps is a matter of not listing all the entries: an 
>increment of the required time could be more 
>'affordable' in cases of searches, but it's only a 
>question of reducing the base time and the problem would 
>appear again with a hard use of the service.

Note that searchings first test each candidate entry
to see if 'search' is allowed and then, if the entry
is to be returned, the entry, its attribute types and
values are checked for 'read'.  Your ACL, though it
is only applicable to one entry, the code must check
each entry to see if it applicable.

>I read about using gnu regex library in the list 
>archive, but haven't still installed it (I thought I 
>wasn't using regular expressions, so I seemed of little 
>influence to me).

You are!  It's dn=<regex>.  The regex you provided just
happens to be a very simple regex.

There are two GNU regular expression libraries, GNU regex
and GNU rx.  There is also Henry Spencer regex (commonly
found in many UNIX distributions).  Your mileage may
vary.  (Note: I tend to favor HS regex, however, this
choice is based on non-technical issues).

Kurt D. Zeilenga <Kurt@OpenLDAP.org>
OpenLDAP Project <http://www.OpenLDAP.org/>