[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slow search with cn=, not with cn=abc

To: openldap-software@OpenLDAP.org
Subject: Re: Slow search with cn=*, not with cn=abc*
From: Ace Suares <ace@suares.nl>
Date: Mon, 12 Apr 2004 18:19:25 -0400
Content-description: clearsigned data
Content-disposition: inline
In-reply-to: <1081776180.10855.18.camel@localhost>
Organization: Ace Suares' Internet Consultancy
References: <200404111333.37352.ace@suares.nl> <1081776180.10855.18.camel@localhost>
User-agent: KMail/1.5.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Thanks for downgrading to debug the problem!

BTW I was using 2.1.25 not 2.1.26, and certainly not yet 2.1.29, but the 
problem is still there.

I suspected it was in PHP, but ldapsearch has the same very long time to find 
1000 users with 'cn=*'  and considerably shorter with cn="abc*"

The first for rules in my ACL are:

# Allow read access of root DSE to ALL
access to dn=""
        by * read

# Allow read access of 'cn=Subschema' to ALL
access to dn="cn=Subschema"
        by * read

# Allow search access on attrs=objectclass,uid to ANONYMOUS
access to attrs=objectclass,uid
        by anonymous search stop
        by * none break

# Allow read access on attrs=entry,cn to ANONYMOUS
access to attrs=entry,cn,qwidostatus
        by anonymous read stop
        by * none break

Since I am doing 

	ldapsearch -x -h localhost -p 9389 -b "qwidoApp=qwido" 
	"(&(objectclass=qwidoQmailUser)(cn=*))"

which is an anonymous bind, it should evaluate only the first 4 rules...

Wait a minute... if I search specifically for attribute cn, as you suggested,
like this:

	ldapsearch -x -h localhost -p 9389 -b "qwidoApp=qwido" 
	"(&(objectclass=qwidoQmailUser)(cn=*))" cn

then the time for cn=* is considerably shorter... about a second or 2, instead 
of 12 - 20.

Conclusion: evaluation of my long list of ACL's slows things down!

Thanks for helping me find a possible solution. That is, IF I can make my 
ACL's more efficient :-(

Cheers,
ace






> søn, 11.04.2004 kl. 19.33 skrev Ace Suares:
> > I am encountering a slow search when I search for something like
> > 	(&(objectclass=qmailuser)(cn=*))
> > but not if I use something like
> > 	(&(objectclass=qmailuser)(cn=abc*))
> >
> > I use openLDAP 2.1.26, bdb 4.2.52 with the latest patches, on Debian
> > Woody.
>
> I dropped back to OL from 2.2.8 to 2.1.29 in the weekend and just tried
> this for you (but with max 100 entries):
>
> ldapsearch -x '(&(objectclass=CourierMailAccount)(cn=t*))' cn, etc (as
> you stated). All were more or less instantaneous (didn't take the time).
> Indices: cn pres,eq objectClass pres,eq.
>
> This was using ldapi, BDB 4.2.52/patches, RedHat RHEL3
>
> --Tonni

- -- 
Ace Suares' Internet Consultancy
NIEUW ADRES: Postbus 2599, 4800 CN Breda
telefoon: 06-244 33 608
fax en voicemail: 0848-707 705
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQFAexXuy7boE8xtIjURAt0rAJ9pqy9RjOQ7vu3Kp+UmkVOPmIhT9gCeO1fK
AXf7iTUOwXzApmAgddf+VKs=
=qIvP
-----END PGP SIGNATURE-----

References:
- Slow search with cn=*, not with cn=abc*
  - From: Ace Suares <ace@suares.nl>
- Re: Slow search with cn=*, not with cn=abc*
  - From: Tony Earnshaw <tonye@billy.demon.nl>

Prev by Date: Index only works on 4+ characters?
Next by Date: Re: Index only works on 4+ characters?
Index(es):
- Chronological
- Thread

Re: Slow search with cn=*, not with cn=abc*

Re: Slow search with cn=, not with cn=abc