[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL performance tuning suggestions

There are several problems with this idea:
  a) it is not possible to predict at bind time which backends you should
search to see what groups contain a particular bind DN. Without this
knowledge, you're forced to search all backends, which is hardly an
  b) even if it were possible, it would take a long time. This would make
binds very slow.
  c) caching of this form creates a subtle change in behavior - currently,
if the membership of a group is changed during the life of a session, that
change will be picked up the very next time the group is referenced in an
ACL check. It might make sense to just cache memberships at bind time, and
ignore any group changes that occur after the bind, but you have to be aware
of this different behavior and accept that this is what you want. This could
become an extreme problem for your example of long-lived sessions, but it's
difficult to foresee.

Still it would be good to see improvements in this area. I have some ideas
the problem that I'm testing out currently.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

-----Original Message-----
>From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of OpenLDAP Mailing

well, what abour pre-resolving group membership at bind time? that would be
a HUGE performance gain for certain queries (like building large result sets
of ACL data and doing iterative queries), especially for long-lived handles.
I think that would be simple and a good first step.

You could then remove all of the ldbm_back_group calls and match directly
against a small list in RAM.