[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control

Rich Graves wrote:
On Tue, 25 May 2004, John Borwick wrote:

Here's a rule I wrote yesterday:

access to dn.subtree="ou=Users,dc=wfu,dc=edu"
        by * read

What is the performance impact of this?


This sounds lame, but to "optimize" the rule I put it at the beginning of the access list. It's #2 after "access to attr=userPassword by * none", since the data will be used so frequently.

When running with "slapd -d -1" to test different variations of the rule, it looks like slapd iterates through each rule for each attribute, starting with the meta-attribute "entry".

My guess is that, presuming the request is for all data available, the # of rule matches for each entry looks like

Let N = rule's position in list of rules

N * number attributes in search filter
 + N * number of attributes in record (presuming success)

So, a successful objectclass=* search with a limit of 100 entries, for users with an average of 20 attributes, for a rule like the above in position #10 in the list of rules, would be something like

  100 entries * (20 attributes + 1 search attribute) * 10th in position
    = 21000 rule evaluations

Please correct me if I am wrong. I'm not an expert at how LDAP performs access control.

           John Borwick      | work                 336 758 2507
       Systems Administrator | cell                 336 391 6623
      Wake Forest University | web  http://www.wfu.edu/~borwicjh
      Winston-Salem, NC, USA | GPG key ID               7F1F051B

Attachment: signature.asc
Description: OpenPGP digital signature