Hi,
I'm just checking the subentryInterceptor while trying to find the best
way to fix the ACI handling when the server is stopped and restarted.
There is something really unpleasant in this interceptor : when adding a
subtree, we do a search in the DIT to find all the entries part of the
subtree, and each of them is modified to have the
accessControlSubentries AT added, with a reference to the subentry.
If the server contains millions of enries, this is simply not an option.
The direct consequence is that anytime we add an ACI which span over a
lot of entries, we wwill have a large number of modifications applied,
and it's definitively a costly operation (moreover, I don't see how we
can assure the atomicity of such an operation...)
We have to find a better way to determinate if an entry is part of a
subtree than by modifying this entry.
Another annoying aspect is that when we evaluate an ACI, we have to get
the subtree from the subEntry interceptor, because the associated cache
is not global. This is not a good thing too. Caches must be handled
globally by the DirectoryService instance, not by each interceptors.
Still a lot of work before we can release a production ready server,
guys...
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
