[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
access control with dn=*. gives bad performance
Hi all,
I'have added extra rules in my access control list, for example:
access to dn=".*,bankcode=(.*),ou=lb,o=rabobank,c=nl" attr="roleid"
by dn="cn=updater,bankcode=$1,ou=lb,o=rabobank,c=nl" write
by dn="cn=sysbeheer,ou=beheer,ou=lb,o=rabobank,c=nl" write
by * read
to get write access tot the 'roleid' attribute by 'sysbeheer'.
This results in a bad performance.
I've changed the rules (removed the .* after dn=):
access to dn="bankcode=(.*),ou=lb,o=rabobank,c=nl" attr="roleid"
by dn="cn=updater,bankcode=$1,ou=lb,o=rabobank,c=nl" write
by dn="cn=sysbeheer,ou=beheer,ou=lb,o=rabobank,c=nl" write
by * read
The performance is nearly back to the old level and i've write access tot
all the sublevels of bankcode=(.*),ou=lb,o=rabobank,c=nl" attr="roleid.
This is what i want, but i don't understand why i have write access to the
sublevels?
Any idea?
My system: RedHat 7.1 with openldap 2.0.18.
Thanks!
Gerrit
**************************************
Gerrit van den Hul
Senior Software Designer
Altium - Think it, Design it, Build it
Phone Rabobank: +31 30 21 51 390
Phone Altium: +31 33 455 8584
Fax Altium: +31 33 455 5503
mobile: +31 6 1464 9859
E-Mail Rabobank: G.Hul@rf.rabobank.nl
E-Mail Altium: gerrit.van.den.hul@altium.nl
Private E-mail: G.vandenHul@inter.nl.net
URL: http://www.altium.com
**************************************
================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en
de afzender direct te informeren door het bericht te retourneren.
================================================
The information contained in this message may be confidential
and is intended to be exclusively for the addressee. Should you
receive this message unintentionally, please do not use the contents
herein and notify the sender immediately by return e-mail.