[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control

John Borwick wrote:

Rich Graves wrote:

On Tue, 25 May 2004, John Borwick wrote:

Here's a rule I wrote yesterday:

access to dn.subtree="ou=Users,dc=wfu,dc=edu"
        by * read

What is the performance impact of this?


This sounds lame, but to "optimize" the rule I put it at the beginning of the access list. It's #2 after "access to attr=userPassword by * none", since the data will be used so frequently.

When running with "slapd -d -1" to test different variations of the rule, it looks like slapd iterates through each rule for each attribute, starting with the meta-attribute "entry".

My guess is that, presuming the request is for all data available, the # of rule matches for each entry looks like

Let N = rule's position in list of rules

N * number attributes in search filter
 + N * number of attributes in record (presuming success)

So, a successful objectclass=* search with a limit of 100 entries, for users with an average of 20 attributes, for a rule like the above in position #10 in the list of rules, would be something like

  100 entries * (20 attributes + 1 search attribute) * 10th in position
    = 21000 rule evaluations

Please correct me if I am wrong. I'm not an expert at how LDAP performs access control.

There is some caching, but yes, in general that is correct.
Note that N <what> evaluations per entry per attr occur,
but (usually) only 1 <who> evaluation is performed, for
the only <what> that matches.

There might still be room for more caching (I doubt, but I
wouldn't be too assertive on the subject), but what slapd does
in checking permission is definitely sufficient and almost
surely required; I wouldn't change it without extreme care.

Ciao, p.