[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL performance tuning suggestions

I have been looking into access resolution and I am wondering:
1. Does ldbm_back_group cache lookups and group membership info? I see
the same group resolution takes place dozens (sometimes hundreds) of
times during the same query, and hitting the DB and performing the
membership check is really expensive. This seems really inefficient.
In addition, I think a good idea would be to establish a user's group
membership at bind time, then have these resolved group DNs available to
the session during ACL check. This would speed certain operations and
slow others (that do not depend on groups) but I think the net gain
would be significantly positive.
2. Is there any way to implement "class" based ACLs? For instance:
   access to
       "(objectclass=medium security)"
       by group "cn=admins,dc=foo,dc=com" write
If not, what would need to change?