[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL processing performance

Christian Manal wrote:

I've got a question regarding ACLs and their processing performance.

I use the NIS-schema to store userinformation and the likes in
OpenLDAP (using the maps passwd, group, services, ethers, hosts,
automount stuff etc.) plus samba-schema plus some self defined stuff.

I have ACLs defined for some special attributes, like userPassword, and
for each OU (People, Groups, ...).

If I start multiple searches without a filter (so everythin accessible
will be displayed) anonymously or with some user, I can get the CPU load
of my servers up to 80-90%. It's definitely the ACLs, since I have no
problems when using the rootDN or if I reduce the ACLs.

What I'd like to know now is, what is so damn expensive in my ACLs and
how I could reduce the cost without lessening the access restrictions...

Stop using sets, they aren't cached. Use DNs for user matching, not uids and gidNumbers.

OpenLDAP version is 2.4.17 using back-hdb with BDB 4.4 from opencsw
respository on Solaris 10 (SunOS 5.10 Generic_139556-08). There are
around 30k entries in my database. I have one master and four slaves
using delta-syncrepl for replication.

Configuration files can be found here:


  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/