[Date Prev][Date Next] [Chronological] [Thread] [Top]

access control with dn=*. gives bad performance



Hi all,

I'have added extra rules in my access control list, for example:
	access to dn=".*,bankcode=(.*),ou=lb,o=rabobank,c=nl" attr="roleid"
		by dn="cn=updater,bankcode=$1,ou=lb,o=rabobank,c=nl" write
		by dn="cn=sysbeheer,ou=beheer,ou=lb,o=rabobank,c=nl" write
		by * read
to get write access tot the 'roleid' attribute by 'sysbeheer'.
This results in a bad performance.

I've changed the rules (removed the .* after dn=):
	access to dn="bankcode=(.*),ou=lb,o=rabobank,c=nl" attr="roleid"
		by dn="cn=updater,bankcode=$1,ou=lb,o=rabobank,c=nl" write
		by dn="cn=sysbeheer,ou=beheer,ou=lb,o=rabobank,c=nl" write
		by * read
The performance is nearly back to the old level and i've write access tot
all the sublevels of bankcode=(.*),ou=lb,o=rabobank,c=nl" attr="roleid.

This is what i want, but i don't understand why i have write access to the
sublevels? 

Any idea?

My system: RedHat 7.1 with openldap 2.0.18.

Thanks!

Gerrit

**************************************
Gerrit van den Hul
Senior Software Designer
Altium - Think it, Design it, Build it
Phone Rabobank: +31 30 21 51 390
Phone Altium: +31 33 455 8584
Fax Altium: +31 33 455 5503
mobile: +31 6 1464 9859
E-Mail Rabobank: G.Hul@rf.rabobank.nl
E-Mail Altium: gerrit.van.den.hul@altium.nl
Private E-mail: G.vandenHul@inter.nl.net
URL: http://www.altium.com
**************************************



================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en 
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en 
de afzender direct te informeren door het bericht te retourneren. 
================================================
The information contained in this message may be confidential 
and is intended to be exclusively for the addressee. Should you 
receive this message unintentionally, please do not use the contents 
herein and notify the sender immediately by return e-mail.