Re: ACL performance tuning suggestions

[Pierangelo Masarati <masarati@aero.polimi.it>]

OpenLDAP Mailing List wrote:
> 
> I have been looking into access resolution and I am wondering:
> 
> 1. Does ldbm_back_group cache lookups and group membership info? I see
> the same group resolution takes place dozens (sometimes hundreds) of
> times during the same query, and hitting the DB and performing the
> membership check is really expensive. This seems really inefficient.

There is no caching of the access control.  The point is that access
is governed by the <what> clause, so it is difficult to cache the <who>.
I recall reading very long discussions on ACL caching.  You may browse
mails out of the -devel list on the subject.  If you can come out with
a reasonably simple and strikingly efficient caching criterion, I no
doubt think someone will spare some time on implementing it :)


> In addition, I think a good idea would be to establish a user's group
> membership at bind time, then have these resolved group DNs available to
> the session during ACL check. This would speed certain operations and
> slow others (that do not depend on groups) but I think the net gain
> would be significantly positive.
> 
> 2. Is there any way to implement "class" based ACLs? For instance:
> 
>    access to
>        "(objectclass=groupOfNames)"
>        "(objectclass=person)"
>        "(objectclass=medium security)"
>        by group "cn=admins,dc=foo,dc=com" write

use:

access to
filter="(|(objectclass=groupOfNames)(objectclass=person)(objectclass=medium-security))"
	by group "cn=admins,dc=foo,dc=com" write

(note the "medium security" is not a legal objectclass name; maybe
you meant something else?)

Pierangelo.


-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati