[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL optimization

Quanah Gibson-Mount wrote:
> --On Wednesday, August 03, 2005 4:41 PM +0200 Pierangelo Masarati
> <ando@sys-net.it> wrote:
> > and if you use OpenLDAP 2.3, you could use these two rules instead of
> > yours:
> >
> > access to dn.children="ou=people,ou=accounts,dc=domain"
> >                 filter="(fpstatus=active)"
> > attrs=uidNumber,objectclass,uid,gidNumber,homeDirectory,host,@fadesaPerso
> > n,@inetlocalmailrecipient,@krb5principal,krb5KDCFlags         by
> > set="user & ([cn=]+this/host+[,ou=acl,dc=domain])" ssf=128 read
> > by * none break
> >
> > access to dn.children="ou=people,ou=accounts,dc=domain"
> >                 filter="(fpstatus=active)"
> >         by set="user & ([cn=]+this/host+[,ou=acl,dc=domain])" ssf=128
> > write         by * none break
> >
> > You need OpenLDAP 2.3 because in earlier versions no "+" operator was
> > available in sets.  Please note that the literal portions of the DN that
> > go into square brackets must be normalized, because DN comparison is done
> > with the normalized DN of the user, but no normalization occurs in sets.
> Aside from ACL's, another thing to look at is your idlcache.  Since you
> didn't post what your idlcache/cachesize settings were for the OpenLDAP
> server, it is hard to give any advice on that, though.

cachesize was setted to 10000 for this test (it's 10 times bigger
than the number of entries in the bdb database)

idlecache was not configured, I redid all test with a value of 10000
(is it necesary reconstruct the bdb database? I did a simple restart) 
and the times were very similar.

As a curiosity, servers matched by the first rules are about 5 or 6 times
faster to response than servers matched by last rules. I thought that 
the ACL evaluation time will be uniform because the whole set of rules
would be evaluated. this makes sense to someone?

This give me an extra advantage because I can sort the most important
servers first to grant a fast response to critical apps.

Version: 3.1
GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z