[Date Prev][Date Next]
Re: ACL performance tuning suggestions
OpenLDAP Mailing List wrote:
> I have been looking into access resolution and I am wondering:
> 1. Does ldbm_back_group cache lookups and group membership info? I see
> the same group resolution takes place dozens (sometimes hundreds) of
> times during the same query, and hitting the DB and performing the
> membership check is really expensive. This seems really inefficient.
There is no caching of the access control. The point is that access
is governed by the <what> clause, so it is difficult to cache the <who>.
I recall reading very long discussions on ACL caching. You may browse
mails out of the -devel list on the subject. If you can come out with
a reasonably simple and strikingly efficient caching criterion, I no
doubt think someone will spare some time on implementing it :)
> In addition, I think a good idea would be to establish a user's group
> membership at bind time, then have these resolved group DNs available to
> the session during ACL check. This would speed certain operations and
> slow others (that do not depend on groups) but I think the net gain
> would be significantly positive.
> 2. Is there any way to implement "class" based ACLs? For instance:
> access to
> "(objectclass=medium security)"
> by group "cn=admins,dc=foo,dc=com" write
by group "cn=admins,dc=foo,dc=com" write
(note the "medium security" is not a legal objectclass name; maybe
you meant something else?)
Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:email@example.com
via La Masa 34, 20156 Milano, Italy |