[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACI process speed
At 02:22 PM 2001-10-12, Jorge Ortiz Claver wrote:
>o=idsk
>ou=Company A, o=idsk
>ou=Company B, o=idsk
>
>I have two acis in the slapd.conf
>
>access to dn="(.*,)?ou=Company A,o=idsk"
> by dn="(.*,)?ou=Company A,o=idsk" write
> by * none break
>
>access to dn="(.*,)?ou=Company B,o=idsk"
> by dn="(.*,)?ou=Company B,o=idsk" write
> by * none break
>
>access to *
> by self write
> by dn="uid=admin,o=idsk" write
> by * read
>
>If I disable the first and second ACI, a query (as anonymous) to 100 elements
>of the Customer A branch takes 1-2 seconds. If I enable the ACIs I get the
>results in 2 minutes ... umm? Is there any way to make this process faster?
Yes, use equivalent ACLs that use less expensive mechanisms.
Something like:
access to dn.subtree="Company A,o=idsk"
by dn.subtree="Company A,o=idsk" write
by dn.base="uid=admin.o=idsk" write
by * read
access to dn.subtree="Company B,o=idsk"
by dn.subtree="Company B,o=idsk" write
by dn.base="uid=admin.o=idsk" write
by * read
access to *
by self write
by dn.base="uid=admin,o=idsk" write
by * read
should be much faster.
Note that avoiding regexes can make a huge difference. When one
chooses to use regex ACLs, one should choose a regex implementation
that is reasonable fast. The one provided by your operating system
may not be.
>In the trace file appears that for each attribute used in the query filter
>and for each object that match the query, the ACI rules are proccesed. For
>example, if I filter using cn, sn and givername, for each object the server
>check the access for these attributes (in these cases, the server always use
>the last rule "access to *"). Is it normal? Should the server check the ACIs
>for each attribute?
Yes. The ACL granularity is attribute.
Kurt