[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL performance tuning suggestions

To: <openldap-software@OpenLDAP.org>
Subject: ACL performance tuning suggestions
From: "OpenLDAP Mailing List" <openldap@kogz.com>
Date: Tue, 30 Oct 2001 12:19:30 -0600
Content-class: urn:content-classes:message
Thread-index: AcFhb2q3jaZV/xFKRC2PA5OelWmTJw==
Thread-topic: ACL performance tuning suggestions

I have been looking into access resolution and I am wondering:
 
1. Does ldbm_back_group cache lookups and group membership info? I see
the same group resolution takes place dozens (sometimes hundreds) of
times during the same query, and hitting the DB and performing the
membership check is really expensive. This seems really inefficient.
 
In addition, I think a good idea would be to establish a user's group
membership at bind time, then have these resolved group DNs available to
the session during ACL check. This would speed certain operations and
slow others (that do not depend on groups) but I think the net gain
would be significantly positive.
 
2. Is there any way to implement "class" based ACLs? For instance:
 
   access to
       "(objectclass=groupOfNames)"
       "(objectclass=person)"
       "(objectclass=medium security)"
       by group "cn=admins,dc=foo,dc=com" write
 
If not, what would need to change?

Follow-Ups:
- Re: ACL performance tuning suggestions
  - From: Pierangelo Masarati <masarati@aero.polimi.it>

Prev by Date: RE: Connection Stability Troubles with LDAP
Next by Date: Re: [chancock@bsd.uchicago.edu: userPassword attribute]
Index(es):
- Chronological
- Thread