Re: Performance of ACLs

[Patrick Timmons <ptimmons@courriel.polymtl.ca>]

Do you have a 'presence index' (and maybe a substring index) for the uid
attribute ? If you don't, slapd must look at each entry just to see if the entry
contains a uid attribute. 

Iddyamadom Santhoshkumar wrote:
> 
> Hi
> 
> I am using OpenLdap 1.2.11 and having a problem due to
> 
> ACLs.
> 
> The following command is issued to do an LDAP search
> 
> ldapsearch -D "uid=ouser,ou=People,o=company1,o=com"
> -w testpassword -b "o=company1,o=com" "uid=*"
> 
> There are a few ACLs in slapd.conf. I was assuming
> that those ACLs will validate entries under the base
> search path (in this example, "o=company1,o=com").
> There are only few entries under "o=company1,o=com"
> (may be 20). But, it takes at least 18 seconds to
> return the resuls. There are totally 6500 entries in
> the directory.
> 
> >From the ACL logs (syslog), I found that each and
> every entry in the directory is accessed and that is
> why it is taking long time.
> 
> Is it a problem with the OpenLdap or is it designed
> like that or is it a problem with my ACLs ?
> 
> defaultaccess none
> access to dn="uid=[^,]+,ou=People,o=([^,]+),o=com"
> attrs=entry
>        by dn="uid=[^,]+,ou=People,o=$1,o=com" read
> access to dn="uid=[^,]+,ou=People,o=([^,]+),o=com"
> attrs=userpassword
>        by self read
> access to dn="uid=[^,]+,ou=People,o=([^,]+),o=com"
>        by dn="uid=[^,]+,ou=People,o=$1,o=com" read
> 
> I will be greatful for any feedback on this..
> 
> THanX in advance
> Santhosh
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Messenger - Talk while you surf!  It's FREE.
> http://im.yahoo.com/

-- 
Patrick Timmons, service informatique