ACI process speed

[Jorge Ortiz Claver <jortiz@idsk.com>]

Hi,

I have an OpenLDAP 2.0.15 server on a Solaris 7 environment and I am having 
big problems processing queries. I think the main reason is because my ACIs. 
The data is in two different branches. In each branch, all the users that 
belong to this branch must have enough rigths for writting in any object of 
this branch. 

o=idsk
ou=Company A, o=idsk
ou=Company B, o=idsk

I have two acis in the slapd.conf

access	to dn="(.*,)?ou=Company A,o=idsk"
            by dn="(.*,)?ou=Company A,o=idsk" write
            by * none break

access	to dn="(.*,)?ou=Company B,o=idsk"
            by dn="(.*,)?ou=Company B,o=idsk" write
            by * none break

access  to *
            by self write
            by dn="uid=admin,o=idsk" write
            by * read

If I disable the first and second ACI, a query (as anonymous) to 100 elements 
of the Customer A branch takes 1-2 seconds. If I enable the ACIs I get the 
results in 2 minutes ... umm? Is there any way to make this process faster? 
Am I doing something wrong in the ACIs?

In the trace file appears that for each attribute used in the query filter 
and for each object that match the query, the ACI rules are proccesed. For 
example, if I filter using cn, sn and givername, for each object the server 
check the access for these attributes (in these cases, the server always use 
the last rule "access to *"). Is it normal? Should the server check the ACIs 
for each attribute?

Thank you very much in advance

Jorge Ortiz Claver