[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Move From Redhat 7.3 to redhat ES 3.0

To: openldap-software@OpenLDAP.org
Subject: Re: Move From Redhat 7.3 to redhat ES 3.0
From: Terje Rosten <terjeros@phys.ntnu.no>
Date: Tue, 11 May 2004 22:07:26 +0200
In-reply-to: <005a01c4376e$858fa390$a06e5882@bi.umist.ac.uk>
References: <005a01c4376e$858fa390$a06e5882@bi.umist.ac.uk>
User-agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.3.50 (gnu/linux)

* Simon Oliver
| 
| Can you give examples of the acls that caused problems so that we
| can avoid them too?

No, they are to stupid to post in public :-)

I used acls to allow connection only from some hosts with this rule:

access to *
   by self read
   by peername.regex="^IP=10\.0\.0\.(31|32|38|54|56|62|78|82|83|88|90|91|93|96|97|99|101|103|
105|106|107|108|109|110|111|112|113|115|116|117|119|120|122|123|124|125|126|129|141|142|143|144|144|145).*" read
   by * none

That was not clever, when I changed to:

access to *
   by * read

This simple search:
 
 $ ldapsearch -ZZ -LLL -x -h ldapserver.invalid \(uid=\*\) cn

was about 5 times faster.

The simple lesson is to watch your acls if you have a performance
problem.

BTW: I am now using tcp_wrappers to achieve the same access policy.


 - Terje

References:
- RE: Move From Redhat 7.3 to redhat ES 3.0
  - From: "Simon Oliver" <s.oliver@umist.ac.uk>

Prev by Date: Re: slurpd blocking updates
Next by Date: Re: OpenLDAP 2.1 (?) on RedHat Enterprise summary
Index(es):
- Chronological
- Thread