[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: New performance results

Andreas Hasenack wrote:
Em SÃb, 2007-11-03 Ãs 03:30 -0700, Howard Chu escreveu:
(The AD numbers aren't all in yet, we're still waiting for the directory
import to finish.)

In the authentication and other online tests, were the ACLs on all servers the same? Or no ACLs whatsoever? I suppose this would have an impact on performance.

It's not really possible to make the ACLs identical, since the servers' access control systems are very different. Nor is it meaningful to turn off all of the ACLs. As such, a minimal set of rules are used on each server, but that set is necessarily different in each implementation. I believe this is still fair, since the security implementation is an integral part of each server.

E.g., all the servers use TCP/IP, but their TCP/IP implementations are also different. That's just one of many intrinsic elements that defines the properties of a given server.

For AD and ADAM we used their default security settings. Since by default they don't allow anonymous operations, we created a "cn=bench" user for authenticating each session. Also in AD and ADAM a user needed to belong to a particular group in order to have read access to the rest of the DIT. So we also created a "cn=readers" group in OpenLDAP with our bench user as a member and set the corresponding ACLs.

Likewise, I have no idea what the default mechanism for validating a plaintext Simple Bind password is in AD/ADAM. We tested OpenLDAP with both plaintext and SSHA hashes. Computing an SHA hash is certainly more CPU intensive than just doing a simple memcmp on a plaintext password, but is it equivalent to AD's hash? Who knows? AD isn't documented well enough for anyone to say. But ultimately it doesn't matter, because you cannot change AD's configuration and choose a different mechanism. So in terms of comparing overall server behavior, sure there will be differences, but those are intrinsic to each server implementation. Those intrinsic differences are indeed the entire reason why comparative testing needs to be done in the first place...

   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/