[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access control
Rich Graves wrote:
On Tue, 25 May 2004, John Borwick wrote:
Here's a rule I wrote yesterday:
access to dn.subtree="ou=Users,dc=wfu,dc=edu"
attr=entry,wfuIsPublic,objectClass,uid
filter=(wfuIsPublic=Y)
by * read
What is the performance impact of this?
[snip]
This sounds lame, but to "optimize" the rule I put it at the beginning
of the access list. It's #2 after "access to attr=userPassword by *
none", since the data will be used so frequently.
When running with "slapd -d -1" to test different variations of the
rule, it looks like slapd iterates through each rule for each attribute,
starting with the meta-attribute "entry".
My guess is that, presuming the request is for all data available, the #
of rule matches for each entry looks like
Let N = rule's position in list of rules
N * number attributes in search filter
+ N * number of attributes in record (presuming success)
So, a successful objectclass=* search with a limit of 100 entries, for
users with an average of 20 attributes, for a rule like the above in
position #10 in the list of rules, would be something like
100 entries * (20 attributes + 1 search attribute) * 10th in position
= 21000 rule evaluations
Please correct me if I am wrong. I'm not an expert at how LDAP performs
access control.
Yours,
John
--
John Borwick | work 336 758 2507
Systems Administrator | cell 336 391 6623
Wake Forest University | web http://www.wfu.edu/~borwicjh
Winston-Salem, NC, USA | GPG key ID 7F1F051B
Attachment:
signature.asc
Description: OpenPGP digital signature