[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL performance again

To: Stephan Siano <stephan.siano@suse.de>
Subject: Re: ACL performance again
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 04 Jan 2002 08:57:02 -0800
Cc: "openldap-devel" <openldap-devel@OpenLDAP.org>
In-reply-to: <5.1.0.14.0.20020104083410.0174eb40@127.0.0.1>
References: <20020104160842.738EBF900@susefra1.fra.suse.de>

At 08:39 AM 2002-01-04, Kurt D. Zeilenga wrote:
>At 08:08 AM 2002-01-04, Stephan Siano wrote:
>>I encountered performance problems with rather complex (group based) ACLs in 
>>conjunction with large objects (approximately 120 attributes per object).
>>
>>The server returned only 6.5 objects per second for complex (attribute 
>>dependant, group based) ACLs, about 50 objects per second for simpler 
>>(attribute independent, group based) ACLs and about 140 objects per second 
>>without any ACL (defaultaccess read).
>>
>>Looking into the code (and switching on acl debugging) it showed that the 
>>wohle ACL is parsed and evaluated once for each attribute and once for each 
>>value (that means twice for a single-valued attribute).
>>
>>Why is it necessary to evaluate the ACLs for each value?
>
>Because OpenLDAP ACM has attribute value granularity.

I should clarify:   For the most part OpenLDAP ACM granularity
is attribute level.  But, due to certain directives, the
granularity must be treated as if it where value granularity.
If these directives are not in use, then the granularity is
attribute level.

Kurt

Follow-Ups:
- Re: ACL performance again
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- ACL performance again
  - From: Stephan Siano <stephan.siano@suse.de>
- Re: ACL performance again
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: ACL performance again
Next by Date: Re: ACL performance again
Index(es):
- Chronological
- Thread