[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bad proformance after add several ACLs setting.



On Mon, Jul 17, 2006 at 03:12:23PM +0800, Wang Penghui wrote:
> Hello, everyone,
> 
> There is a openldap installation on my gentoo server. The version of
> server is net-nds/openldap-2.1.30-r2.
> 
> The hardware information is
> 
> CUP: Intel Xeon 2.4G x 2
> MEM: 512M x 2
> HD: SCSI 73G x 2 with Raid 1.
> 
> There are about 10000 entries in the openldap database.
> There are 3600+ enties in a special ou. Before add acl setting to the
> slapd.conf on the special ou, if i search the all the children of this
> ou, with the follow command:
> 
> ldapsearch -x -D "cn=manager,dc=xxx" -w xxx -b "ou=specialou,dc=xxx" >
> temp.file
> 
> It will take less than 1 sec to finished the query.

This is more an enumeration and not exactly a search.

> ====BEGIN====
> access to attrs="userPassword"
>         by  dn="cn=manager,dc=xxx"    write
>         by  self    write
>         by  anonymous   auth
>         by  *   none
> access to filter="category=0 *"

Do you have a substring index for the category attribute? Also, you are using
just two characters, this is usually not enough for such a filter. If you were
using a more recent version of OpenLDAP (like 2.3.24), you could use the
index_substr_* parameters in slapd.conf to tune this (I don't know if 2.1.30
has this option, I think not).

>        by   dn="cn=manager,dc=xxx"   write
>        by   dnattr=creatorsName    write
>        by      *       none
> access to dn="ou=contacts,ou=,dc=xxx"
>     attrs=children
>     by  dn="cn=manager,dc=xxx"    write
>     by dn.regex="uid=[^,]+,ou=contacts,ou=specialou,dc=xxx" write
>     by  *   none
> access to dn.regex="^uid=[^,]+,ou=contacts,ou=specialou,dc=xxx$"
>     attrs=entry
>     by  dn="cn=manager,dc=xxx"    write
>     by  dn.regex="uid=[^,]+,ou=contacts,ou=specialou,dc=xxx" write
>     by  *   none
> access to dn.subtree="ou=contacts,ou=specialou,dc=xxx"
> filter="(&(!(category=5 FL))(category=11 GCC Member))"

Just make sure you also have an equality index for the category attribute.

>     by  dn="cn=manager,dc=xxx" write
>     by  dn="uid=duxiaolin,ou=contacts,ou=specialou,dc=xxx" write
>     by  dn="uid=sunchengzhi,ou=contacts,ou=specialou,dc=xxx" write
>     by  dn="uid=wangjin,ou=contacts,ou=specialou,dc=xxx" write
>     by  dn="uid=supertuxadmin,ou=contacts,ou=specialou,dc=xxx" write
>     by  dn="uid=anonymous,ou=contacts,ou=specialou,dc=xxx" none
>     by  self write
>     by  users   none
> access to dn.subtree="ou=contacts,ou=specialou,dc=xxx"
> filter="(&(!(category=5 FL))(!(category=11 GCC Member)))"
>     by  dn="cn=manager,dc=xxx"    write
>     by  dn="uid=supertuxadmin,ou=contacts,ou=specialou,dc=xxx" write
>     by  dn="uid=duxiaolin,ou=contacts,ou=specialou,dc=xxx" write
>     by  dn="uid=wangjin,ou=contacts,ou=specialou,dc=xxx" write
>     by  dn="uid=sunchengzhi,ou=contacts,ou=specialou,dc=xxx" write
>     by  dn="uid=anonymous,ou=contacts,ou=specialou,dc=xxx" none
>     by  self write
> access to dn.subtree="ou=contacts,ou=specialou,dc=xxx"
> filter="(&(category=5 FL)(category=11 GCC Member))"
>     by  dn="cn=manager,dc=xxx"    write
>     by  dn="uid=duxiaolin,ou=contacts,ou=specialou,dc=xxx" write
>     by  dn="uid=wangjin,ou=contacts,ou=specialou,dc=xxx" write
>     by  dn="uid=sunchengzhi,ou=contacts,ou=specialou,dc=xxx" write
>     by  dn="uid=supertuxadmin,ou=contacts,ou=specialou,dc=xxx" write
>     by  self write
>     by  users   read
> access to dn.subtree="dc=xxx" by * write
> 
> ===ENG===
> 
> And all the necessary attributes are indexed even the category which
> appeared in the acl filter.

For category you will need the substring and equality indexes at least. And I
don't think you can overcome the problem of too few characters in your
substring search without rebuilding OpenLDAP and setting this to a higher value
(I don't recall the #define, search the archives or the source).

> BTW, i have used the ldbm as the database backend. I have heard that the
> ldbm backend will be discarded after 2.4, should i change to other
> backend, such as bdb or gdbm.

You should change to bdb or hdb, but more importantly, upgrade your openldap
package to a more recent version. You are currently two generations behind.