[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL performance tuning suggestions

To: "Pierangelo Masarati" <masarati@aero.polimi.it>
Subject: RE: ACL performance tuning suggestions
From: "OpenLDAP Mailing List" <openldap@kogz.com>
Date: Tue, 30 Oct 2001 12:44:58 -0600
Cc: <openldap-software@OpenLDAP.org>
Content-class: urn:content-classes:message
Thread-index: AcFhcV3SGm5wJW1mQxGk1JeIZTHMgwAATjpC
Thread-topic: ACL performance tuning suggestions

well, what abour pre-resolving group membership at bind time? that would
be a HUGE performance gain for certain queries (like building large
result sets of ACL data and doing iterative queries), especially for
long-lived handles. I think that would be simple and a good first step.
 
You could then remove all of the ldbm_back_group calls and match
directly against a small list in RAM.
 
Kevin

	-----Original Message----- 
	From: Pierangelo Masarati 
	Sent: Tue 10/30/2001 12:37 PM 
	To: OpenLDAP Mailing List 
	Cc: openldap-software@OpenLDAP.org 
	Subject: Re: ACL performance tuning suggestions
	
	

	OpenLDAP Mailing List wrote:
	>
	> I have been looking into access resolution and I am wondering:
	>
	> 1. Does ldbm_back_group cache lookups and group membership
info? I see
	> the same group resolution takes place dozens (sometimes
hundreds) of
	> times during the same query, and hitting the DB and performing
the
	> membership check is really expensive. This seems really
inefficient.
	
	There is no caching of the access control.  The point is that
access
	is governed by the <what> clause, so it is difficult to cache
the <who>.
	I recall reading very long discussions on ACL caching.  You may
browse
	mails out of the -devel list on the subject.  If you can come
out with
	a reasonably simple and strikingly efficient caching criterion,
I no
	doubt think someone will spare some time on implementing it :)
	
	
	> In addition, I think a good idea would be to establish a
user's group
	> membership at bind time, then have these resolved group DNs
available to
	> the session during ACL check. This would speed certain
operations and
	> slow others (that do not depend on groups) but I think the net
gain
	> would be significantly positive.
	>
	> 2. Is there any way to implement "class" based ACLs? For
instance:
	>
	>    access to
	>        "(objectclass=groupOfNames)"
	>        "(objectclass=person)"
	>        "(objectclass=medium security)"
	>        by group "cn=admins,dc=foo,dc=com" write
	
	use:
	
	access to
	
filter="(|(objectclass=groupOfNames)(objectclass=person)(objectclass=med
ium-security))"
	        by group "cn=admins,dc=foo,dc=com" write
	
	(note the "medium security" is not a legal objectclass name;
maybe
	you meant something else?)
	
	Pierangelo.
	
	
	--
	Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
	Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
	Politecnico di Milano                 |
mailto:masarati@aero.polimi.it
	via La Masa 34, 20156 Milano, Italy   |
	http://www.aero.polimi.it/~masarati

<<winmail.dat>>

Prev by Date: Re: ACL performance tuning suggestions
Next by Date: RE: Using Backend as Oracle !!
Index(es):
- Chronological
- Thread