[Date Prev][Date Next]
Re: Access control
John Borwick wrote:
Rich Graves wrote:
On Tue, 25 May 2004, John Borwick wrote:
Here's a rule I wrote yesterday:
access to dn.subtree="ou=Users,dc=wfu,dc=edu"
by * read
What is the performance impact of this?
This sounds lame, but to "optimize" the rule I put it at the beginning
of the access list. It's #2 after "access to attr=userPassword by *
none", since the data will be used so frequently.
When running with "slapd -d -1" to test different variations of the
rule, it looks like slapd iterates through each rule for each
attribute, starting with the meta-attribute "entry".
My guess is that, presuming the request is for all data available, the
# of rule matches for each entry looks like
Let N = rule's position in list of rules
N * number attributes in search filter
+ N * number of attributes in record (presuming success)
So, a successful objectclass=* search with a limit of 100 entries, for
users with an average of 20 attributes, for a rule like the above in
position #10 in the list of rules, would be something like
100 entries * (20 attributes + 1 search attribute) * 10th in position
= 21000 rule evaluations
Please correct me if I am wrong. I'm not an expert at how LDAP
performs access control.
There is some caching, but yes, in general that is correct.
Note that N <what> evaluations per entry per attr occur,
but (usually) only 1 <who> evaluation is performed, for
the only <what> that matches.
There might still be room for more caching (I doubt, but I
wouldn't be too assertive on the subject), but what slapd does
in checking permission is definitely sufficient and almost
surely required; I wouldn't change it without extreme care.