Howard Chu wrote:
Michael Ströder wrote:Tomasz Lesniewski wrote:I would like to use sets in my openldap ACLs, but i'm worried about "Sets are considered experimental"as is written in docs (http://www.openldap.org/doc/admin24/access-control.html#Sets%20-%20Granting%20rights%20based%20on%20relationships) Is anybody using sets in production environment without problems? Are there any known issues with sets? Or is known when sets will be ready to use?I put one setup with many set ACLs in production. Sets work as intended but are not documented very well. It costs some time to get it right. It's a good idea to implement ACL regression testing. The main problem with sets: They are slow - I mean really slow.And they will continue to be - very very slow. There is currently no way to cache set evaluations, like we do with group ACLs.
So the only work-around to improve performance a bit is to maintain additional attributes to avoid set ACLs follow too many references.
E.g. slapo-memberof can be used to set back-link references in group member entries (attribute 'memberOf') which sometimes can improve the set performance of specific group membership relations. (Yes, I know the normal by group? ACLs but those are not sufficient for some use-cases.)
Ciao, Michael. -- Michael Ströder E-Mail: firstname.lastname@example.org http://www.stroeder.com
Description: S/MIME Cryptographic Signature