[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Are sets "production ready"?



Howard Chu wrote:
Michael Ströder wrote:
Tomasz Lesniewski wrote:
I would like to use sets in my openldap ACLs, but i'm worried about
"Sets are
considered experimental"as is written in docs
(http://www.openldap.org/doc/admin24/access-control.html#Sets%20-%20Granting%20rights%20based%20on%20relationships)

Is anybody using sets in production environment without problems? Are
there
any known issues with sets? Or is known when sets will be ready to use?
I put one setup with many set ACLs in production. Sets work as intended
but are not documented very well. It costs some time to get it right.
It's a good idea to implement ACL regression testing.

The main problem with sets: They are slow - I mean really slow.
And they will continue to be - very very slow. There is currently no way to
cache set evaluations, like we do with group ACLs.
So the only work-around to improve performance a bit is to maintain additional 
attributes to avoid set ACLs follow too many references.
E.g. slapo-memberof can be used to set back-link references in group member 
entries (attribute 'memberOf') which sometimes can improve the set performance 
of specific group membership relations.
(Yes, I know the normal by group? ACLs but those are not sufficient for some 
use-cases.)
Ciao, Michael.

--
Michael Ströder
E-Mail: michael@stroeder.com
http://www.stroeder.com

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature