[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: access control with dn=*. gives bad performance



OFF

-----Original Message-----
From: Tony Earnshaw [mailto:tonni@billy.demon.nl]
Sent: woensdag 20 november 2002 14:23
To: Hul van den, G (Gerrit)
Cc: openldap-software@OpenLDAP.org
Subject: Re: access control with dn=*. gives bad performance


ons, 2002-11-20 kl. 13:23 skrev Hul van den, G (Gerrit):

> I'have added extra rules in my access control list, for example:
> 	access to dn=".*,bankcode=(.*),ou=lb,o=rabobank,c=nl" attr="roleid"
> 		by dn="cn=updater,bankcode=$1,ou=lb,o=rabobank,c=nl" write
> 		by dn="cn=sysbeheer,ou=beheer,ou=lb,o=rabobank,c=nl" write
> 		by * read
> to get write access tot the 'roleid' attribute by 'sysbeheer'.
> This results in a bad performance.

> I've changed the rules (removed the .* after dn=):
> 	access to dn="bankcode=(.*),ou=lb,o=rabobank,c=nl" attr="roleid"
> 		by dn="cn=updater,bankcode=$1,ou=lb,o=rabobank,c=nl" write
> 		by dn="cn=sysbeheer,ou=beheer,ou=lb,o=rabobank,c=nl" write
> 		by * read
> The performance is nearly back to the old level and i've write access tot
> all the sublevels of bankcode=(.*),ou=lb,o=rabobank,c=nl" attr="roleid.

> This is what i want, but i don't understand why i have write access to the
> sublevels? 

It has been written by those who know, in this group, that both syslog
and use of regexes take an enormous toll on performance. How you can
best avoid the regexes in certain situations was described by Kurt Z. on
the 11th November last.

Also bear in mind, that later versions (like 2.1.x and greater with BDB
4.x) of Openldap can give added advantages, if not performance.

Best,

Tonni

-- 

Tony Earnshaw

Ik *weet* wat de Rabobank is en dat zij geleidelijk meer hart
draagt voor Linux. Desalniettemin, met dit soort poging, ben ik
blij dat de ING "mijn bank" is :-)


e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl


 
> *************************************************************
> Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie
> bevatten die vertrouwelijk is en/of beschermd door intellectuele
> eigendomsrechten. Dit bericht is uitsluitend bestemd voor de
> geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht
> (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder
> elke vorm) door andere personen dan de geadresseerde(n) is verboden.
> Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender
> hiervan te verwittigen en dit bericht te verwijderen. 
> 
> This e-mail and any attachment thereto may contain information which is
> confidential and/or protected by intellectual property rights and are
> intended for the sole use of the addressees. Any use of the information
> contained herein (including but not limited to total or partial
> reproduction or distribution in any form) by other persons than the
> addressees is prohibited. If you have received this e-mail in error,
> please notify the sender and delete its contents. 
> *************************************************************
>