[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI process speed

At 02:22 PM 2001-10-12, Jorge Ortiz Claver wrote:
>ou=Company A, o=idsk
>ou=Company B, o=idsk
>I have two acis in the slapd.conf
>access  to dn="(.*,)?ou=Company A,o=idsk"
>            by dn="(.*,)?ou=Company A,o=idsk" write
>            by * none break
>access  to dn="(.*,)?ou=Company B,o=idsk"
>            by dn="(.*,)?ou=Company B,o=idsk" write
>            by * none break
>access  to *
>            by self write
>            by dn="uid=admin,o=idsk" write
>            by * read
>If I disable the first and second ACI, a query (as anonymous) to 100 elements 
>of the Customer A branch takes 1-2 seconds. If I enable the ACIs I get the 
>results in 2 minutes ... umm? Is there any way to make this process faster? 

Yes, use equivalent ACLs that use less expensive mechanisms.
Something like:

access to dn.subtree="Company A,o=idsk"
        by dn.subtree="Company A,o=idsk" write
        by dn.base="uid=admin.o=idsk" write
        by * read

access to dn.subtree="Company B,o=idsk"
        by dn.subtree="Company B,o=idsk" write
        by dn.base="uid=admin.o=idsk" write
        by * read

access to *
        by self write
        by dn.base="uid=admin,o=idsk" write
        by * read

should be much faster.

Note that avoiding regexes can make a huge difference.  When one
chooses to use regex ACLs, one should choose a regex implementation
that is reasonable fast.  The one provided by your operating system
may not be.

>In the trace file appears that for each attribute used in the query filter 
>and for each object that match the query, the ACI rules are proccesed. For 
>example, if I filter using cn, sn and givername, for each object the server 
>check the access for these attributes (in these cases, the server always use 
>the last rule "access to *"). Is it normal? Should the server check the ACIs 
>for each attribute?

Yes.  The ACL granularity is attribute.