[Date Prev][Date Next]
Re: ACL processing performance
Christian Manal wrote:
I've got a question regarding ACLs and their processing performance.
I use the NIS-schema to store userinformation and the likes in
OpenLDAP (using the maps passwd, group, services, ethers, hosts,
automount stuff etc.) plus samba-schema plus some self defined stuff.
I have ACLs defined for some special attributes, like userPassword, and
for each OU (People, Groups, ...).
If I start multiple searches without a filter (so everythin accessible
will be displayed) anonymously or with some user, I can get the CPU load
of my servers up to 80-90%. It's definitely the ACLs, since I have no
problems when using the rootDN or if I reduce the ACLs.
What I'd like to know now is, what is so damn expensive in my ACLs and
how I could reduce the cost without lessening the access restrictions...
Stop using sets, they aren't cached. Use DNs for user matching, not uids and
OpenLDAP version is 2.4.17 using back-hdb with BDB 4.4 from opencsw
respository on Solaris 10 (SunOS 5.10 Generic_139556-08). There are
around 30k entries in my database. I have one master and four slaves
using delta-syncrepl for replication.
Configuration files can be found here:
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/