Re: Access control

[Pierangelo Masarati <ando@sys-net.it>]

John Borwick wrote:

> Rich Graves wrote:
>
> > On Tue, 25 May 2004, John Borwick wrote:
> >
> >
> > > Here's a rule I wrote yesterday:
> > >
> > > access to dn.subtree="ou=Users,dc=wfu,dc=edu"
> > >         attr=entry,wfuIsPublic,objectClass,uid
> > >         filter=(wfuIsPublic=Y)
> > >         by * read
> >
> >
> >
> > What is the performance impact of this?
> [snip]
>
> This sounds lame, but to "optimize" the rule I put it at the beginning 
> of the access list.  It's #2 after "access to attr=userPassword by * 
> none", since the data will be used so frequently.
>
> When running with "slapd -d -1" to test different variations of the 
> rule, it looks like slapd iterates through each rule for each 
> attribute, starting with the meta-attribute "entry".
>
> My guess is that, presuming the request is for all data available, the 
> # of rule matches for each entry looks like
>
> Let N = rule's position in list of rules
>
> N * number attributes in search filter
>  + N * number of attributes in record (presuming success)
>
> So, a successful objectclass=* search with a limit of 100 entries, for 
> users with an average of 20 attributes, for a rule like the above in 
> position #10 in the list of rules, would be something like
>
>   100 entries * (20 attributes + 1 search attribute) * 10th in position
>     = 21000 rule evaluations
>
> Please correct me if I am wrong.  I'm not an expert at how LDAP 
> performs access control. 


There is some caching, but yes, in general that is correct.
Note that N <what> evaluations per entry per attr occur,
but (usually) only 1 <who> evaluation is performed, for
the only <what> that matches.

There might still be room for more caching (I doubt, but I
wouldn't be too assertive on the subject), but what slapd does
in checking permission is definitely sufficient and almost
surely required; I wouldn't change it without extreme care.

Ciao, p.