[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL optimization

Hello all,

 I'm getting a performance problem with my current ACL.

 There are one hundred of remote server placed in locations with little
physical security, so I need minimize the impact of a possible compromise 
and implement some type of server side access control as opposed to client 
side access control for the user entries.

 Each remote server is matched by two rules, the first rule set a group
of attributes to read-only and the second one is a catch-all rule all
that isn't explicitly configured as read-only is writable by the 
remote host.

access to dn.children="ou=people,ou=accounts,dc=domain" filter=(&(host=server1)(fpstatus=active)) attrs=uidNumber,objectclass,uid,gidNumber,homeDirectory,host,@fadesaPerson,@inetlocalmailrecipient,@krb5principal,krb5KDCFlags
        by dn.exact="cn=remote1,ou=acl,dc=domain" ssf=128 read
        by * none break

access to dn.children="ou=people,ou=accounts,dc=domain" filter=(&(host=server1)(fpstatus=active))
        by dn.exact="cn=remote1,ou=acl,dc=domain" ssf=128 write
        by * none break

 this works fine, for one server the ACL evaluation takes about 100ms
but for 100 servers (x2 = 200 rules) the time increments to 1,4 seconds,
which makes the directory response very slow.

 Openldap (2.2.27) runs in a Xeon 3GHz cpu with 1GB of ram, the
directory contents are 1000 entries with 125 attributes each one.

 is it possible speed this somehow without lost of funcionality?

Thank you.

set_cachesize 0 10000000 0
set_lg_regionmax 1048576
set_lg_max 10485760
set_lg_bsize 2097152
set_lg_dir /var/lib/ldap/logs

index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub

Version: 3.1
GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z