[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Move From Redhat 7.3 to redhat ES 3.0



* Simon Oliver
| 
| Can you give examples of the acls that caused problems so that we
| can avoid them too?

No, they are to stupid to post in public :-)

I used acls to allow connection only from some hosts with this rule:

access to *
   by self read
   by peername.regex="^IP=10\.0\.0\.(31|32|38|54|56|62|78|82|83|88|90|91|93|96|97|99|101|103|
105|106|107|108|109|110|111|112|113|115|116|117|119|120|122|123|124|125|126|129|141|142|143|144|144|145).*" read
   by * none

That was not clever, when I changed to:

access to *
   by * read

This simple search:
 
 $ ldapsearch -ZZ -LLL -x -h ldapserver.invalid \(uid=\*\) cn

was about 5 times faster.

The simple lesson is to watch your acls if you have a performance
problem.

BTW: I am now using tcp_wrappers to achieve the same access policy.


 - Terje