[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Bad proformance after add several ACLs setting.
On Mon, Jul 17, 2006 at 03:12:23PM +0800, Wang Penghui wrote:
> Hello, everyone,
>
> There is a openldap installation on my gentoo server. The version of
> server is net-nds/openldap-2.1.30-r2.
>
> The hardware information is
>
> CUP: Intel Xeon 2.4G x 2
> MEM: 512M x 2
> HD: SCSI 73G x 2 with Raid 1.
>
> There are about 10000 entries in the openldap database.
> There are 3600+ enties in a special ou. Before add acl setting to the
> slapd.conf on the special ou, if i search the all the children of this
> ou, with the follow command:
>
> ldapsearch -x -D "cn=manager,dc=xxx" -w xxx -b "ou=specialou,dc=xxx" >
> temp.file
>
> It will take less than 1 sec to finished the query.
This is more an enumeration and not exactly a search.
> ====BEGIN====
> access to attrs="userPassword"
> by dn="cn=manager,dc=xxx" write
> by self write
> by anonymous auth
> by * none
> access to filter="category=0 *"
Do you have a substring index for the category attribute? Also, you are using
just two characters, this is usually not enough for such a filter. If you were
using a more recent version of OpenLDAP (like 2.3.24), you could use the
index_substr_* parameters in slapd.conf to tune this (I don't know if 2.1.30
has this option, I think not).
> by dn="cn=manager,dc=xxx" write
> by dnattr=creatorsName write
> by * none
> access to dn="ou=contacts,ou=,dc=xxx"
> attrs=children
> by dn="cn=manager,dc=xxx" write
> by dn.regex="uid=[^,]+,ou=contacts,ou=specialou,dc=xxx" write
> by * none
> access to dn.regex="^uid=[^,]+,ou=contacts,ou=specialou,dc=xxx$"
> attrs=entry
> by dn="cn=manager,dc=xxx" write
> by dn.regex="uid=[^,]+,ou=contacts,ou=specialou,dc=xxx" write
> by * none
> access to dn.subtree="ou=contacts,ou=specialou,dc=xxx"
> filter="(&(!(category=5 FL))(category=11 GCC Member))"
Just make sure you also have an equality index for the category attribute.
> by dn="cn=manager,dc=xxx" write
> by dn="uid=duxiaolin,ou=contacts,ou=specialou,dc=xxx" write
> by dn="uid=sunchengzhi,ou=contacts,ou=specialou,dc=xxx" write
> by dn="uid=wangjin,ou=contacts,ou=specialou,dc=xxx" write
> by dn="uid=supertuxadmin,ou=contacts,ou=specialou,dc=xxx" write
> by dn="uid=anonymous,ou=contacts,ou=specialou,dc=xxx" none
> by self write
> by users none
> access to dn.subtree="ou=contacts,ou=specialou,dc=xxx"
> filter="(&(!(category=5 FL))(!(category=11 GCC Member)))"
> by dn="cn=manager,dc=xxx" write
> by dn="uid=supertuxadmin,ou=contacts,ou=specialou,dc=xxx" write
> by dn="uid=duxiaolin,ou=contacts,ou=specialou,dc=xxx" write
> by dn="uid=wangjin,ou=contacts,ou=specialou,dc=xxx" write
> by dn="uid=sunchengzhi,ou=contacts,ou=specialou,dc=xxx" write
> by dn="uid=anonymous,ou=contacts,ou=specialou,dc=xxx" none
> by self write
> access to dn.subtree="ou=contacts,ou=specialou,dc=xxx"
> filter="(&(category=5 FL)(category=11 GCC Member))"
> by dn="cn=manager,dc=xxx" write
> by dn="uid=duxiaolin,ou=contacts,ou=specialou,dc=xxx" write
> by dn="uid=wangjin,ou=contacts,ou=specialou,dc=xxx" write
> by dn="uid=sunchengzhi,ou=contacts,ou=specialou,dc=xxx" write
> by dn="uid=supertuxadmin,ou=contacts,ou=specialou,dc=xxx" write
> by self write
> by users read
> access to dn.subtree="dc=xxx" by * write
>
> ===ENG===
>
> And all the necessary attributes are indexed even the category which
> appeared in the acl filter.
For category you will need the substring and equality indexes at least. And I
don't think you can overcome the problem of too few characters in your
substring search without rebuilding OpenLDAP and setting this to a higher value
(I don't recall the #define, search the archives or the source).
> BTW, i have used the ldbm as the database backend. I have heard that the
> ldbm backend will be discarded after 2.4, should i change to other
> backend, such as bdb or gdbm.
You should change to bdb or hdb, but more importantly, upgrade your openldap
package to a more recent version. You are currently two generations behind.