[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bad proformance after add several ACLs setting.

To: Andreas Hasenack <ahasenack@terra.com.br>
Subject: Re: Bad proformance after add several ACLs setting.
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 17 Jul 2006 07:18:37 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20060717131743.GD29313@mandriva.com>
References: <1153120343.19916.36.camel@localhost> <20060717131743.GD29313@mandriva.com>

Indexing has no impact whatsoever on the evaluation of
access filter= clauses.

Kurt

At 06:17 AM 7/17/2006, Andreas Hasenack wrote:
>On Mon, Jul 17, 2006 at 03:12:23PM +0800, Wang Penghui wrote:
>> Hello, everyone,
>> 
>> There is a openldap installation on my gentoo server. The version of
>> server is net-nds/openldap-2.1.30-r2.
>> 
>> The hardware information is
>> 
>> CUP: Intel Xeon 2.4G x 2
>> MEM: 512M x 2
>> HD: SCSI 73G x 2 with Raid 1.
>> 
>> There are about 10000 entries in the openldap database.
>> There are 3600+ enties in a special ou. Before add acl setting to the
>> slapd.conf on the special ou, if i search the all the children of this
>> ou, with the follow command:
>> 
>> ldapsearch -x -D "cn=manager,dc=xxx" -w xxx -b "ou=specialou,dc=xxx" >
>> temp.file
>> 
>> It will take less than 1 sec to finished the query.
>
>This is more an enumeration and not exactly a search.
>
>> ====BEGIN====
>> access to attrs="userPassword"
>>         by  dn="cn=manager,dc=xxx"    write
>>         by  self    write
>>         by  anonymous   auth
>>         by  *   none
>> access to filter="category=0 *"
>
>Do you have a substring index for the category attribute? Also, you are using
>just two characters, this is usually not enough for such a filter. If you were
>using a more recent version of OpenLDAP (like 2.3.24), you could use the
>index_substr_* parameters in slapd.conf to tune this (I don't know if 2.1.30
>has this option, I think not).
>
>>        by   dn="cn=manager,dc=xxx"   write
>>        by   dnattr=creatorsName    write
>>        by      *       none
>> access to dn="ou=contacts,ou=,dc=xxx"
>>     attrs=children
>>     by  dn="cn=manager,dc=xxx"    write
>>     by dn.regex="uid=[^,]+,ou=contacts,ou=specialou,dc=xxx" write
>>     by  *   none
>> access to dn.regex="^uid=[^,]+,ou=contacts,ou=specialou,dc=xxx$"
>>     attrs=entry
>>     by  dn="cn=manager,dc=xxx"    write
>>     by  dn.regex="uid=[^,]+,ou=contacts,ou=specialou,dc=xxx" write
>>     by  *   none
>> access to dn.subtree="ou=contacts,ou=specialou,dc=xxx"
>> filter="(&(!(category=5 FL))(category=11 GCC Member))"
>
>Just make sure you also have an equality index for the category attribute.
>
>>     by  dn="cn=manager,dc=xxx" write
>>     by  dn="uid=duxiaolin,ou=contacts,ou=specialou,dc=xxx" write
>>     by  dn="uid=sunchengzhi,ou=contacts,ou=specialou,dc=xxx" write
>>     by  dn="uid=wangjin,ou=contacts,ou=specialou,dc=xxx" write
>>     by  dn="uid=supertuxadmin,ou=contacts,ou=specialou,dc=xxx" write
>>     by  dn="uid=anonymous,ou=contacts,ou=specialou,dc=xxx" none
>>     by  self write
>>     by  users   none
>> access to dn.subtree="ou=contacts,ou=specialou,dc=xxx"
>> filter="(&(!(category=5 FL))(!(category=11 GCC Member)))"
>>     by  dn="cn=manager,dc=xxx"    write
>>     by  dn="uid=supertuxadmin,ou=contacts,ou=specialou,dc=xxx" write
>>     by  dn="uid=duxiaolin,ou=contacts,ou=specialou,dc=xxx" write
>>     by  dn="uid=wangjin,ou=contacts,ou=specialou,dc=xxx" write
>>     by  dn="uid=sunchengzhi,ou=contacts,ou=specialou,dc=xxx" write
>>     by  dn="uid=anonymous,ou=contacts,ou=specialou,dc=xxx" none
>>     by  self write
>> access to dn.subtree="ou=contacts,ou=specialou,dc=xxx"
>> filter="(&(category=5 FL)(category=11 GCC Member))"
>>     by  dn="cn=manager,dc=xxx"    write
>>     by  dn="uid=duxiaolin,ou=contacts,ou=specialou,dc=xxx" write
>>     by  dn="uid=wangjin,ou=contacts,ou=specialou,dc=xxx" write
>>     by  dn="uid=sunchengzhi,ou=contacts,ou=specialou,dc=xxx" write
>>     by  dn="uid=supertuxadmin,ou=contacts,ou=specialou,dc=xxx" write
>>     by  self write
>>     by  users   read
>> access to dn.subtree="dc=xxx" by * write
>> 
>> ===ENG===
>> 
>> And all the necessary attributes are indexed even the category which
>> appeared in the acl filter.
>
>For category you will need the substring and equality indexes at least. And I
>don't think you can overcome the problem of too few characters in your
>substring search without rebuilding OpenLDAP and setting this to a higher value
>(I don't recall the #define, search the archives or the source).
>
>> BTW, i have used the ldbm as the database backend. I have heard that the
>> ldbm backend will be discarded after 2.4, should i change to other
>> backend, such as bdb or gdbm.
>
>You should change to bdb or hdb, but more importantly, upgrade your openldap
>package to a more recent version. You are currently two generations behind.

Follow-Ups:
- Re: Bad proformance after add several ACLs setting.
  - From: Andreas Hasenack <ahasenack@terra.com.br>

References:
- Bad proformance after add several ACLs setting.
  - From: Wang Penghui <wangpenghui@gmail.com>
- Re: Bad proformance after add several ACLs setting.
  - From: Andreas Hasenack <ahasenack@terra.com.br>

Prev by Date: Re: Bad proformance after add several ACLs setting.
Next by Date: Re: Bad proformance after add several ACLs setting.
Index(es):
- Chronological
- Thread